arnova
commented
5 years ago @abelbeck : You ok with this?
Closed arnova closed 5 years ago
arnova
commented
5 years ago @abelbeck : You ok with this?
abelbeck
commented
5 years ago @arnova Looking at an old "packet-filtering-HOWTO-7" the --tcp-option is described as:
--tcp-option followed by an optional `!' and a number, matches a packet with a TCP option equaling that number. A packet which does not have a complete TCP header is dropped automatically if an attempt is made to examine its TCP options.
The trailing sentence "A packet which does not have a complete TCP header is dropped automatically if an attempt is made to examine its TCP options" ... is possibly part of it's usefulness.
But the iptables man-pages only state: "Match if TCP option set." period.
The failure of nftables's backward compatibility does look like a bug in nftables.
Having said that, removing the BAD_FLAGS_LOG AIF option looks like a reasonable thing to do in this day and age, protection from malformed TCP packets is not as needed as in the old days.
arnova
commented
5 years ago @abelbeck : Lonnie, thanks for feedback and the additional info, much appreciated!
…as a "bad tcp options" setting. This also fixes problems with nftables's iptables emulation