first, given the flags SYN,ACK,FIN,RST,URG,PSH, and the shortcuts ALL and NONE, the flags filtering clause has the form --tcp-flags [!] comp mask as an example, --tcp-flags SYN,RST,ACK SYN means specifically to compare those three flags, and of those three, *only* SYN can be set. so far, so good. we can also incorporate ALL and NONE, for example: --tcp-flags ALL SYN (only SYN can be set among all flags) --tcp-flags ALL NONE (all flags must be unset -- a bit silly) so "ALL", in these cases, is short for all six flags. but what if we have --tcp-flags SYN,RST,ACK ALL as a mask, i'm assuming that "ALL" really now means just all of the flags that were listed in the comp list, since it wouldn't make much sense to mean all six flags anymore. is this reasonable? and i'm also assuming this would mean the same as --tcp-flags ! SYN,RST,ACK NONE even though that's a really hideous way of expressing it. rday
