Dans un message du 11 nov à 23:41, Nicolas Mailhot écrivait :
> I'm afraid I've just run in an embarassing iptables « bug » on
> 2.4.13-ac7. When I tell iptables to drop unclean packets with ecn on I
> can no longuer connect to ftp.kernel.org, and get a lot of ipt_unclean:
> TCP reserved bits not zero in the logs. Shouldn't iptables be made
> ecn-aware ?
It is a known bug. Upgrade to 2.4.14+ and apply this patch will fix
fix the problem (and another ipt_unclean glitch)
diff -uNr linux-2.4.14-pre8/net/ipv4/netfilter/ipt_unclean.c linux-tcprb-fixed/net/ipv4/netfilter/ipt_unclean.c
--- linux-2.4.14-pre8/net/ipv4/netfilter/ipt_unclean.c Wed Oct 31 14:38:23 2001
+++ linux-tcprb-fixed/net/ipv4/netfilter/ipt_unclean.c Sun Nov 4 08:30:58 2001
@@ -257,6 +257,8 @@
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20
+#define TH_ECE 0x40
+#define TH_CWR 0x80
/* TCP-specific checks. */
static int
@@ -328,9 +330,10 @@
}
/* CHECK: TCP flags. */
- tcpflags = ((u_int8_t *)tcph)[13];
+ tcpflags = (((u_int8_t *)tcph)[13] & ~(TH_ECE|TH_CWR));
if (tcpflags != TH_SYN
&& tcpflags != (TH_SYN|TH_ACK)
+ && tcpflags != TH_RST
&& tcpflags != (TH_RST|TH_ACK)
&& tcpflags != (TH_RST|TH_ACK|TH_PUSH)
&& tcpflags != (TH_FIN|TH_ACK)
I hope the netfilter core team will merge it soon.
Regards,
-- Guillaume Morin <guillaume@morinfr.org>Sometimes I find I need to scream (RHCP) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 15 2001 - 21:00:27 EST