patch-2.4.23 linux-2.4.23/net/ipv4/netfilter/ipt_unclean.c
Next file: linux-2.4.23/net/ipv4/route.c
Previous file: linux-2.4.23/net/ipv4/netfilter/ipt_esp.c
Back to the patch index
Back to the overall index
- Lines: 46
- Date:
2003-11-28 10:26:21.000000000 -0800
- Orig file:
linux-2.4.22/net/ipv4/netfilter/ipt_unclean.c
- Orig date:
2003-06-13 07:51:39.000000000 -0700
diff -urN linux-2.4.22/net/ipv4/netfilter/ipt_unclean.c linux-2.4.23/net/ipv4/netfilter/ipt_unclean.c
@@ -259,6 +259,24 @@
#define TH_ECE 0x40
#define TH_CWR 0x80
+/* table of valid flag combinations - ECE and CWR are always valid */
+static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
+{
+ [TH_SYN] = 1,
+ [TH_SYN|TH_ACK] = 1,
+ [TH_RST] = 1,
+ [TH_RST|TH_ACK] = 1,
+ [TH_RST|TH_ACK|TH_PUSH] = 1,
+ [TH_FIN|TH_ACK] = 1,
+ [TH_ACK] = 1,
+ [TH_ACK|TH_PUSH] = 1,
+ [TH_ACK|TH_URG] = 1,
+ [TH_ACK|TH_URG|TH_PUSH] = 1,
+ [TH_FIN|TH_ACK|TH_PUSH] = 1,
+ [TH_FIN|TH_ACK|TH_URG] = 1,
+ [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1
+};
+
/* TCP-specific checks. */
static int
check_tcp(const struct iphdr *iph,
@@ -330,19 +348,7 @@
/* CHECK: TCP flags. */
tcpflags = (((u_int8_t *)tcph)[13] & ~(TH_ECE|TH_CWR));
- if (tcpflags != TH_SYN
- && tcpflags != (TH_SYN|TH_ACK)
- && tcpflags != TH_RST
- && tcpflags != (TH_RST|TH_ACK)
- && tcpflags != (TH_RST|TH_ACK|TH_PUSH)
- && tcpflags != (TH_FIN|TH_ACK)
- && tcpflags != TH_ACK
- && tcpflags != (TH_ACK|TH_PUSH)
- && tcpflags != (TH_ACK|TH_URG)
- && tcpflags != (TH_ACK|TH_URG|TH_PUSH)
- && tcpflags != (TH_FIN|TH_ACK|TH_PUSH)
- && tcpflags != (TH_FIN|TH_ACK|TH_URG)
- && tcpflags != (TH_FIN|TH_ACK|TH_URG|TH_PUSH)) {
+ if (!tcp_valid_flags[tcpflags]) {
limpk("TCP flags bad: %u\n", tcpflags);
return 0;
}
FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen (who was at: slshen@lbl.gov)