ipt_unclean: TCP flags bad: 4

ipt_unclean: TCP flags bad: 4

[Alan J. Wylie]

I've just upgraded to 2.4.7, and I'm getting lots of errors:

ipt_unclean: TCP flags bad: 4

I only see them when my ppp link is up - pppd version 2.4.0

Looking at ipt_unclean.c it seems that this message will be generated
when I send a packet with flags set to RST only.

I've run a ppp session with the pppd option "record" turned on, and
analysed the output with "ethereal". This is indeed what is on the
wire. I'm no expert on TCP I'm afraid. The complete TCP stream
follows:

------------------------------------------------------------------------------
No. Time        Source                Destination           Protocol Info

129 12.800000   62.137.113.223        news.svr.pol.co.uk    TCP
    1148 > nntp [SYN] Seq=3684831495 Ack=0 Win=5840 Len=0

131 12.900000   news.svr.pol.co.uk    62.137.113.223        TCP
    nntp > 1148 [SYN, ACK] Seq=2607886663 Ack=3684831496 Win=32736 Len=0

137 13.300000   62.137.113.223        news.svr.pol.co.uk    TCP
    1148 > nntp [FIN, ACK] Seq=3684831502 Ack=2607887466 Win=7090 Len=0

142 13.400000   62.137.113.223        news.svr.pol.co.uk    TCP
    1148 > nntp [RST] Seq=3684831503 Ack=0 Win=0 Len=0
------------------------------------------------------------------------------

-- 
Alan J. Wylie                        http://www.glaramara.freeserve.co.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
  Antoine de Saint-Exupery

Re: ipt_unclean: TCP flags bad: 4

[Luigi Genoni]

There was a bug introduced with kernel 2.4.6, but it was
solved with one of the latest 2.4.7-pre patch, i do not remember which
one.

actually i was happily using tcp_unclean on my production servers, but
with 2.4.6 i was forced to avoid it.
I still have to try 2.4.7 to see if it works properly.

If you use a rule like

iptables -A INPUT -m unlean -j DROP

are you still able to connect in/out of your box?

bests
Luigi


On Sun, 22 Jul 2001, Alan J. Wylie wrote:

>
> I've just upgraded to 2.4.7, and I'm getting lots of errors:
>
> ipt_unclean: TCP flags bad: 4
>
> I only see them when my ppp link is up - pppd version 2.4.0
>
> Looking at ipt_unclean.c it seems that this message will be generated
> when I send a packet with flags set to RST only.
>
> I've run a ppp session with the pppd option "record" turned on, and
> analysed the output with "ethereal". This is indeed what is on the
> wire. I'm no expert on TCP I'm afraid. The complete TCP stream
> follows:
>
> ------------------------------------------------------------------------------
> No. Time        Source                Destination           Protocol Info
>
> 129 12.800000   62.137.113.223        news.svr.pol.co.uk    TCP
>     1148 > nntp [SYN] Seq=3684831495 Ack=0 Win=5840 Len=0
>
> 131 12.900000   news.svr.pol.co.uk    62.137.113.223        TCP
>     nntp > 1148 [SYN, ACK] Seq=2607886663 Ack=3684831496 Win=32736 Len=0
>
> 137 13.300000   62.137.113.223        news.svr.pol.co.uk    TCP
>     1148 > nntp [FIN, ACK] Seq=3684831502 Ack=2607887466 Win=7090 Len=0
>
> 142 13.400000   62.137.113.223        news.svr.pol.co.uk    TCP
>     1148 > nntp [RST] Seq=3684831503 Ack=0 Win=0 Len=0
> ------------------------------------------------------------------------------
>
> --
> Alan J. Wylie                        http://www.glaramara.freeserve.co.uk/
> "Perfection [in design] is achieved not when there is nothing left to add,
> but rather when there is nothing left to take away."
>   Antoine de Saint-Exupery
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: ipt_unclean: TCP flags bad: 4

[Alan J. Wylie]

On Sun, 22 Jul 2001 19:51:43 +0200 (CEST), Luigi Genoni <kernel@Expansa.sns.it> said:

> There was a bug introduced with kernel 2.4.6, but it was solved with
> one of the latest 2.4.7-pre patch, i do not remember which one.

> actually i was happily using tcp_unclean on my production servers,
> but with 2.4.6 i was forced to avoid it.  I still have to try 2.4.7
> to see if it works properly.

> If you use a rule like

> iptables -A INPUT -m unlean -j DROP
                       ^^^^^^
unclean, unclean <ding> ;-)

> are you still able to connect in/out of your box?

$MYIPTABLES --append INPUT   --match unclean --jump DROP

has been at the start of my rules for a long time. I wasn't seeing
any *serious* problems browsing the web, etc., but was getting a few
"unable to connect to host" pages. Some of them went away on refresh,
but some sites I just couldn't get to. On the other hand, that's
normal for the Internet.

-- 
Alan J. Wylie                        http://www.glaramara.freeserve.co.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
  Antoine de Saint-Exupery

Re: ipt_unclean: TCP flags bad: 4

[Luigi Genoni]

This is normale behaviour, if with 2.4.7 kernel
this rule acts this way, that means it does work.
are you telling me you see this behavious with kernel 2.4.7?

Luigi

On Sun, 22 Jul 2001, Alan J. Wylie wrote:

> On Sun, 22 Jul 2001 19:51:43 +0200 (CEST), Luigi Genoni <kernel@Expansa.sns.it> said:
>
> > There was a bug introduced with kernel 2.4.6, but it was solved with
> > one of the latest 2.4.7-pre patch, i do not remember which one.
>
> > actually i was happily using tcp_unclean on my production servers,
> > but with 2.4.6 i was forced to avoid it.  I still have to try 2.4.7
> > to see if it works properly.
>
> > If you use a rule like
>
> > iptables -A INPUT -m unlean -j DROP
>                        ^^^^^^
> unclean, unclean <ding> ;-)
>
> > are you still able to connect in/out of your box?
>
> $MYIPTABLES --append INPUT   --match unclean --jump DROP
>
> has been at the start of my rules for a long time. I wasn't seeing
> any *serious* problems browsing the web, etc., but was getting a few
> "unable to connect to host" pages. Some of them went away on refresh,
> but some sites I just couldn't get to. On the other hand, that's
> normal for the Internet.
>
> --
> Alan J. Wylie                        http://www.glaramara.freeserve.co.uk/
> "Perfection [in design] is achieved not when there is nothing left to add,
> but rather when there is nothing left to take away."
>   Antoine de Saint-Exupery
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: ipt_unclean: TCP flags bad: 4

[Rusty Russell]

In message <15194.61662.338810.87576@glaramara.freeserve.co.uk> you write:
> 
> I've just upgraded to 2.4.7, and I'm getting lots of errors:
> 
> ipt_unclean: TCP flags bad: 4

Please try this patch...

Note that this should be a warning to people not to reject packets
based on ipt_unclean, or we'll end up with another situation like the
ECN blackholes when the next Funky New Thing comes along...

Thanks,
Rusty.
--
Premature optmztion is rt of all evl. --DK

diff -urN -I \$.*\$ -X /home/rusty/devel/kernel/kernel-patches/dontdiff --minimal linux-2.4.7-official/net/ipv4/netfilter/ipt_unclean.c working-2.4.7-unclean/net/ipv4/netfilter/ipt_unclean.c
--- linux-2.4.7-official/net/ipv4/netfilter/ipt_unclean.c	Sun Jul 22 13:13:27 2001
+++ working-2.4.7-unclean/net/ipv4/netfilter/ipt_unclean.c	Mon Jul 23 18:29:11 2001
@@ -331,6 +331,7 @@
 	tcpflags = ((u_int8_t *)tcph)[13];
 	if (tcpflags != TH_SYN
 	    && tcpflags != (TH_SYN|TH_ACK)
+	    && tcpflags != TH_RST
 	    && tcpflags != (TH_RST|TH_ACK)
 	    && tcpflags != (TH_RST|TH_ACK|TH_PUSH)
 	    && tcpflags != (TH_FIN|TH_ACK)

Re: ipt_unclean: TCP flags bad: 4

[Alan J. Wylie]

On Mon, 23 Jul 2001 18:43:26 +1000, Rusty Russell <rusty@rustcorp.com.au> said:

> In message <15194.61662.338810.87576@glaramara.freeserve.co.uk> you
> write:
>>  I've just upgraded to 2.4.7, and I'm getting lots of errors:
>> 
>> ipt_unclean: TCP flags bad: 4

> Please try this patch...

That fixes it.

Many thanks.

-- 
Alan J. Wylie                        http://www.glaramara.freeserve.co.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
  Antoine de Saint-Exupery