Hi,
[ Please CC me any replies as I'm not on the list ]
I'm afraid I've just run in an embarassing iptables ? bug ? on
2.4.13-ac7. When I tell iptables to drop unclean packets with ecn on I
can no longuer connect to ftp.kernel.org, and get a lot of ipt_unclean:
TCP reserved bits not zero in the logs. Shouldn't iptables be made
ecn-aware ? (especially given all the red-inked comments on ECN in the
FAQ)
Regards,
--
Nicolas
Dans un message du 11 nov ? 23:41, Nicolas Mailhot ?crivait :
> I'm afraid I've just run in an embarassing iptables ? bug ? on
> 2.4.13-ac7. When I tell iptables to drop unclean packets with ecn on I
> can no longuer connect to ftp.kernel.org, and get a lot of ipt_unclean:
> TCP reserved bits not zero in the logs. Shouldn't iptables be made
> ecn-aware ?
It is a known bug. Upgrade to 2.4.14+ and apply this patch will fix
fix the problem (and another ipt_unclean glitch)
diff -uNr linux-2.4.14-pre8/net/ipv4/netfilter/ipt_unclean.c linux-tcprb-fixed/net/ipv4/netfilter/ipt_unclean.c
--- linux-2.4.14-pre8/net/ipv4/netfilter/ipt_unclean.c Wed Oct 31 14:38:23 2001
+++ linux-tcprb-fixed/net/ipv4/netfilter/ipt_unclean.c Sun Nov 4 08:30:58 2001
@@ -257,6 +257,8 @@
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
+#define TH_ECE 0x40
+#define TH_CWR 0x80
/* TCP-specific checks. */
static int
@@ -328,9 +330,10 @@
}
/* CHECK: TCP flags. */
- tcpflags = ((u_int8_t *)tcph)[13];
+ tcpflags = (((u_int8_t *)tcph)[13] & ~(TH_ECE|TH_CWR));
if (tcpflags != TH_SYN
&& tcpflags != (TH_SYN|TH_ACK)
+ && tcpflags != TH_RST
&& tcpflags != (TH_RST|TH_ACK)
&& tcpflags != (TH_RST|TH_ACK|TH_PUSH)
&& tcpflags != (TH_FIN|TH_ACK)
I hope the netfilter core team will merge it soon.
Regards,
--
Guillaume Morin <[email protected]>
Sometimes I find I need to scream (RHCP)
>
>
>
> I'm afraid I've just run in an embarassing iptables ? bug ? on
>2.4.13-ac7. When I tell iptables to drop unclean packets with ecn on I
>can no longuer connect to ftp.kernel.org, and get a lot of ipt_unclean:
>TCP reserved bits not zero in the logs. Shouldn't iptables be made
>ecn-aware ? (especially given all the red-inked comments on ECN in the
>FAQ)
>
Yes,
this is an often discussed problem. An i think it should fixed in the
actuall cvs tree. But its not to hard to fix it self. :-)
Cu Thomas
Dans un message du 11 nov ? 22:58, Thomas Lussnig ?crivait :
> this is an often discussed problem. An i think it should fixed in the
> actuall cvs tree.
It is not (yet, I hope :-)
--
Guillaume Morin <[email protected]>
I'm unclean, a libertine, every time you vent your spleen, I seem to lose
the power of speech, you're slipping slowly from my reach, you grow me
like an evergreen, you've never seen me lonely at all. (Placebo)