Closed arnova closed 5 years ago
@abelbeck : You ok with this?
@arnova Looking at an old "packet-filtering-HOWTO-7" the --tcp-option
is described as:
--tcp-option followed by an optional `!' and a number, matches a packet with a TCP option equaling that number. A packet which does not have a complete TCP header is dropped automatically if an attempt is made to examine its TCP options.
The trailing sentence "A packet which does not have a complete TCP header is dropped automatically if an attempt is made to examine its TCP options" ... is possibly part of it's usefulness.
But the iptables man-pages only state: "Match if TCP option set." period.
The failure of nftables's backward compatibility does look like a bug in nftables.
Having said that, removing the BAD_FLAGS_LOG
AIF option looks like a reasonable thing to do in this day and age, protection from malformed TCP packets is not as needed as in the old days.
@abelbeck : Lonnie, thanks for feedback and the additional info, much appreciated!
…as a "bad tcp options" setting. This also fixes problems with nftables's iptables emulation