From owner-freebsd-current  Tue Apr  2 13:30:08 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id NAA28146
          for current-outgoing; Tue, 2 Apr 1996 13:30:08 -0800 (PST)
Received: from trane.uninett.no (trane.uninett.no [129.241.1.16])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA28110
          for <current@FreeBSD.ORG>; Tue, 2 Apr 1996 13:30:03 -0800 (PST)
From: sthaug@nethelp.no
Received: from localhost (localhost [127.0.0.1]) by trane.uninett.no (8.7.3/8.7.3) with SMTP id WAA09553; Tue, 2 Apr 1996 22:29:58 +0100 (MET)
Message-Id: <199604022129.WAA09553@trane.uninett.no>
X-Authentication-Warning: trane.uninett.no: Host localhost [127.0.0.1] didn't use HELO protocol
To: franky@pinewood.nl
Cc: current@FreeBSD.ORG
Subject: Re: [Q] Semantics of 'established' in ipfw tcp
In-Reply-To: Your message of "Mon, 1 Apr 1996 10:20:05 +0100"
References: <9604011020.ZM20909@pwood1.pinewood.nl>
X-Mailer: Mew version 1.03 on Emacs 19.28.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Tue, 02 Apr 1996 23:29:57 +0200
Sender: owner-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> I would like to know other people's reactions to the current semantics of
> the 'established' keyword for TCP connections in the 2.2-960323-SNAPSHOT
> implementation of the ipfw in the kernel. 
> 
> Currently 'established' means (according to the manpage *and* some
> experimentation): 
> 
>     established      Matches packets that do not have the SYN bit set.
>                      TCP packets only.
> 
> Should this not be:
> 
>     established      Matches packets that do have the ACK bit set.
>                      TCP packets only.
> 
> (To my knowledge this is the way conventional packet filters interpret
>  'established'.)

I believe it was Cisco that started using the 'established' keyword, and
at least according to Cisco documentation, for instance

http://cio.cisco.com/univercd/data/doc/software/11_0/rpcr/rip.htm#REF24774

it should be ACK *or* RST:

"A match occurs if the TCP datagram has the ACK or RST bits set. The
nonmatching case is that of the initial TCP datagram to form a connection."

Steinar Haug, Nethelp consulting, sthaug@nethelp.no