From: Olaf Schreck <chakl@sy...> - 2003-09-10 16:01:45
I noticed that the ipfilter policy compiler in 1.0.10 does no longer
generate "flags S" in tcp rules. Why has this been removed?
Olaf Schreck chakl@... syscall() Network Solutions, Berlin
On Wednesday, September 10, 2003, at 09:01 AM, Olaf Schreck wrote:
> Hi Vadim,
> I noticed that the ipfilter policy compiler in 1.0.10 does no longer
> generate "flags S" in tcp rules. Why has this been removed?
in 1.0.10 and 1.0.11 it is tied to the option "Accept TCP connections
opened prior to firewall restart". If that option is on, then "flags S"
won't be added.
Here is a relevant snippet from the ChangeLog:
2003-04-25 Vadim Kurland <vadim@...>
* PolicyCompiler_ipf_writers.cc (processNext): fixed bug
"Flag for no SYN by default for tcp ". Implemented support for
option "Accept TCP sessions opened prior to firewall restart" in
ipfilter. This can be used in redundand firewall pairs where
backup firewall takes over when the primary one goes down and
should not drop sessions opened before failover happens.