On Mon, Jun 20, 2016 at 09:26:28PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> In iptables, if the user add a rule to send tcp RST and specify the
> non-TCP protocol, such as UDP, kernel will reject this request. But
> in nftables, this validity check only
On Tue, Jun 21, 2016 at 04:03:01PM -0300, Marcelo Ricardo Leitner wrote:
> On Tue, Jun 21, 2016 at 09:35:55AM +0800, Liping Zhang wrote:
> > For example, when tcp->rst is set, reject_ip6 will call
> > pr_debug("RST is set\n"), while there's nothing in reject_ip4.
> >
> > IMO, these debug
On Tue, Jun 21, 2016 at 09:35:55AM +0800, Liping Zhang wrote:
> Hi Marcelo,
>
> 2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner
> :
> >
> > A different check/log is made for ip6:
> > nf_reject_ip6_tcphdr_get():
> > /* IP header checks: fragment, too short.
Hi Marcelo,
2016-06-20 23:48 GMT+08:00 Marcelo Ricardo Leitner :
>
> A different check/log is made for ip6:
> nf_reject_ip6_tcphdr_get():
> /* IP header checks: fragment, too short. */
> if (proto != IPPROTO_TCP || *otcplen < sizeof(struct tcphdr)) {
>
From: Liping Zhang
In iptables, if the user add a rule to send tcp RST and specify the
non-TCP protocol, such as UDP, kernel will reject this request. But
in nftables, this validity check only occurs in nft tool, i.e. only
in userspace.
This means that user can add