On Sun, 2012-04-01 at 19:42 +0200, Pablo Neira Ayuso wrote: > I understand your concern, but the info in the manpage is correct: > basically, it can be extracted from it that --syn will not match > SYN+FIN packets. > > As you point in your patch, you have to use: > > --tcp-flags SYN,RST,ACK SYN > > in your rule-set for the situation that you describe. > > Changing the default behaviour of --syn to catch this case is > delicate, I don't want to break backward compatibility. Agreed. With TCP Fast Open, it might be possible to send a SYN+FIN+cookies+DATA in a single frame. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
