Re: Combining/compacting 2 rules into 1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: Combining/compacting 2 rules into 1
From: "William N." <netfilter@xxxxxxxxxx>
Date: Wed, 17 Apr 2024 14:12:30 -0000
In-reply-to: <2e3ee5dc-0628-47c0-937b-21daac1c76c0@app.fastmail.com>
References: <20240416174748.5612bd27@localhost> <20240416195445.41b40f624e2dbec1c593c789@plushkava.net> <20240416191250.04884e9b@localhost> <20240416210851.a9f14dc3c046ce42af06d87a@plushkava.net> <20240417082917.5cbb38ae@localhost> <890e6c2d-ed3a-4a0d-84ae-5cd1a2425316@slavino.sk> <d7419059-cfb1-40df-9280-c673775cb04a@app.fastmail.com> <fb8c2fee-c2fa-49ec-87f9-c563d04f3343@slavino.sk> <2e3ee5dc-0628-47c0-937b-21daac1c76c0@app.fastmail.com>
Reply-to: netfilter@xxxxxxxxxxxxxxx

Just tested on Debian 12:

# hping3 <host> -c 1 --syn --tcp-mss 100

This triggers the discussed rule (output from 'nft monitor trace'):

...
trace id 98d76ca4 netdev filter ingress rule meta protocol . tcp option maxseg size { ip . 0-535, ip6 . 0-1219 } tcp flags syn log prefix "TCP MSS: " counter packets 0 bytes 0 drop (verdict drop)

hping3 also doesn't work with IPv6 though.

Follow-Ups:
- Re: Combining/compacting 2 rules into 1
  - From: Slavko

References:
- Combining/compacting 2 rules into 1
  - From: William N.
- Re: Combining/compacting 2 rules into 1
  - From: Kerin Millar
- Re: Combining/compacting 2 rules into 1
  - From: William N.
- Re: Combining/compacting 2 rules into 1
  - From: Kerin Millar
- Re: Combining/compacting 2 rules into 1
  - From: William N.
- Re: Combining/compacting 2 rules into 1
  - From: Slavko
- Re: Combining/compacting 2 rules into 1
  - From: Kerin Millar
- Re: Combining/compacting 2 rules into 1
  - From: Slavko
- Re: Combining/compacting 2 rules into 1
  - From: Kerin Millar

Prev by Date: Re: Combining/compacting 2 rules into 1
Next by Date: Re: Combining/compacting 2 rules into 1
Previous by thread: Re: Combining/compacting 2 rules into 1
Next by thread: Re: Combining/compacting 2 rules into 1
Index(es):
- Date
- Thread

[Index of Archives] [Linux Netfilter Development] [Linux Kernel Networking Development] [Netem] [Berkeley Packet Filter] [Linux Kernel Development] [Advanced Routing & Traffice Control] [Bugtraq]