TCP flags to examine, proper resetting (was: no "flags x"? [CVS: cvs.openbsd.org: src])

[Moritz Grimm <gtgbr_(_at_)_gmx_(_dot_)_net>]

Hi,


The removal of "flags X" and the following discussion made me browse
through rfc793 (tcp) and rfc3168 (ecn), to figure out the largest
reasonable amount of flags to examine when only legal connection
initiations shall be allowed to create state.

Not examining all flags, including ECN (or any other tcp-extending flags
that might happen/do exist), makes perfect sense. Camiel Dobbelaar uses
S/SAFR, but I wonder about the remaining standard flags PSH, WND and
URG. None of those seem to be legal for a connection initiation.

PSH makes no sense, why should non-existent data payload go through to
the listening daemon unbuffered, while no connection exists, yet? Same
applies to WND and URG - flow control or urgent _data_ has nothing to do
with the initial handshake. Wouldn't S/SAFRPWU be the "ideal" set of
flags to check?

Please correct me if my assumptions are wrong, i.e. explain when
something like SYN,PSH may happen. Thanks in advance.

Also, RFC793 clearly states that connection attempts to closed ports are
rejected by a RST packet (unlike Linux 2.4's netfilter does, for example
... can anyone tell me why they do it with an icmp message by default?).
However, it also says that unrelated packets that don't belong to any
connection (I guess a pass in rule with filtering described above falls
under this category) get a "reset control message" - does this mean RST
or an icmp message? I find this a bit confusing. Again, thanks for any
clue you can provide.


Moritz