Hi, I've been trying to understand netfilter's connection tracking for TCP. The FSM used is a simplified version of the usual TCP FSM, and therefore, as I understand it, it does not permit a perfect tracking of TCP. A first question is: why not rely on a better version of the FSM? It would maybe imply that the states of both end-hosts should be stored but it would also allow a finer-grained tracking of the connection. I assume this is because the firewall doesn't need to be so specific about the tracking, but why not? Wouldn't it be better from a security viewpoint? In the same line of thinking, I can see that, for example, at the regular connection closing, no check is done on the direction of the FIN segments. AFAIK, this would mean that a host could make think the firewall that a connection is closed when it is actually sending 2 times a FIN segment. A one-liner check would make sure that both FINs come from different hosts, why omit this? The real question is: am I missing something important that would make this kind of things insignificant? In advance, thank you. -- nimai -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
