[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Checking for cleared TCP flags
From:       Darren Reed <avalon () coombs ! anu ! edu ! au>
Date:       1996-06-26 11:47:43
[Download RAW message or body]

In some mail from David Mazieres, sie said:
> 
> Is there a way to to match clear TCP flags?  For instance, supposing I
> wanted to do something like this:
> 
> pass in quick proto tcp from any to any flags /SA
> 
> to pass all packets with neither a Syn nor an Ack flag.  Ipf accepts
> this just fine, but when I run "ipfstat -i" the rule comes out without
> the "/SA".

This should be considered a bug in how the rule is printed out, then.
See below for a patch to fix this.

> Next question:  Are there any Reset or Fin packets which don't have
> the Ack bit set, or can I assume any packets other than "S/SA" packets
> will have the Ack bit set?  Either way, though, it still would be nice
> to have a "/SA" syntax for other things.

You can have FIN and RST packets without an ACK bit set, but this is not
very common as they're usually generated in acknowledgement to a packet
that has been received already and are thus (FIN|RST)-ACKs.

Darren

Index: parse.c
===================================================================
RCS file: IP-Filter/parse.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 parse.c
*** 1.1.1.1     1996/06/23 07:27:14
--- parse.c     1996/06/26 11:47:40
***************
*** 1190,1196 ****
		if (code)
			(void)printf(" code %d", code);
	}
!       if (fp->fr_proto == IPPROTO_TCP && fp->fr_tcpf) {
		(void)printf(" flags ");
		for (s = flagset, t = flags; *s; s++, t++)
			if (fp->fr_tcpf & *t)
--- 1190,1196 ----
		if (code)
			(void)printf(" code %d", code);
	}
!       if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
		(void)printf(" flags ");
		for (s = flagset, t = flags; *s; s++, t++)
			if (fp->fr_tcpf & *t)


[prev in list] [next in list] [prev in thread] [next in thread]