From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Henrik Nordstrom <hno@marasystems.com>
Cc: Victor Julien <victor@nk.nl>,
Netfilter Developers List <netfilter-devel@lists.netfilter.org>
Subject: Re: Creating rules without the /sbin/iptables command?
Date: Wed, 17 Mar 2004 20:30:00 -0500 [thread overview]
Message-ID: <1079573400.2112.13.camel@localhost> (raw)
In-Reply-To: <Pine.LNX.4.44.0403180152360.18641-100000@filer.marasystems.com>
On Wed, 2004-03-17 at 20:15, Henrik Nordstrom wrote:
> On Wed, 17 Mar 2004, John A. Sullivan III wrote:
>
> > I found that there were a few other differences. As far as I can tell,
> > you can only have one table section per file, in other words if I have a
> > file such as
> >
> > *nat
> > some rules
> > COMMIT
> > *filter
> > some more rules
> > COMMIT
> > *nat
> > some more rules
> > COMMIT
> >
> > only the first set of NAT rules commits.
>
> If this is the case then it is a bug somewhere, most likely in libiptc..
>
> seems to work fine here however.. tested with
>
> *filter
> -A INPUT -p tcp --dport 45 -j ACCEPT
> COMMIT
> *nat
> -A PREROUTING -p tcp --dport 45 -j ACCEPT
> COMMIT
> *filter
> -A OUTPUT -j ACCEPT
> COMMIT
>
> and all three rules was added just fine.
>
> also I do not see any reason why it should not work. The libiptc handle is
> completely closed on COMMIT so there should not be any memory of you
> already have used this table when the new *tablename is reached.
>
> Note: when doing this you MUST use the --noflush (-n) option. If not the
> second reference to the table will clear the rules added by the first..
>
> > I also found that I needed to use an explicit declaration of implicit
> > matches, e.g.,
> >
> > *filter
> > -A FORWARD -p 6 --dport 80 -j ACCEPT - does not work
> > -A FORWARD -p 6 -m tcp --dport 80 -j ACCEPT - does work
> > COMMIT
>
> Works fine here without.. and considering that the exact same iptables.c
> is used in both commands for parsing the commands I don't see why it
> should not work in any version of iptables-restore..
>
> The fact that iptables-save prints the protocol match is only due to the
> fact that this is actually what the rules looks like if you are protocol
> match options.. there is some heavy duty "magics" in iptables command
> parsing if a protocol is specified but no protocol match. There is an
> interesting comment in iptables.c which summarises this magic protocol
> match function quite well ;-)
>
> /* If you listen carefully, you can
> actually hear this code suck. */
>
>
> Regards
> Henrik
Interesting. Thanks for the update. I know the last time I tested was
with a pretty old iptables - I don't know the version number as I have
long since upgraded. Perhaps I was braincramping but I'm almost certain
it choked if I didn't use the explicit match. Thanks again - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
next prev parent reply other threads:[~2004-03-18 1:30 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-17 18:46 Creating rules without the /sbin/iptables command? Victor Julien
2004-03-17 19:25 ` Cedric Blancher
2004-03-17 20:59 ` Victor Julien
2004-03-18 8:56 ` Cedric Blancher
2004-03-17 21:34 ` Henrik Nordstrom
2004-03-17 21:34 ` Henrik Nordstrom
2004-03-17 21:53 ` Victor Julien
2004-03-17 23:08 ` John A. Sullivan III
2004-03-17 23:45 ` Henrik Nordstrom
2004-03-17 23:59 ` John A. Sullivan III
2004-03-18 1:15 ` Henrik Nordstrom
2004-03-18 1:30 ` John A. Sullivan III [this message]
2004-03-18 1:34 ` Scott MacKay
2004-03-18 8:17 ` Henrik Nordstrom
2004-03-18 7:25 ` Victor Julien
2004-03-18 8:07 ` Henrik Nordstrom
2004-03-18 12:49 ` Victor Julien
2004-03-18 23:45 ` Henrik Nordstrom
2004-03-19 19:01 ` Victor Julien
2004-03-19 22:03 ` Henrik Nordstrom
2004-03-19 22:16 ` Victor Julien
2004-03-19 22:41 ` Henrik Nordstrom
2004-03-19 22:56 ` Victor Julien
2004-03-20 1:52 ` Henrik Nordstrom
2004-03-18 11:29 ` John A. Sullivan III
2004-03-18 12:52 ` Victor Julien
2004-03-18 14:12 ` John A. Sullivan III
2004-03-23 16:23 ` Adding packet metadata Scott MacKay
2004-03-24 0:06 ` Henrik Nordstrom
2004-03-24 7:38 ` Mike-Ro-Chanel
2004-03-24 8:01 ` Henrik Nordstrom
2004-03-24 8:18 ` Mike-Ro-Chanel
2004-03-24 11:52 ` Scott MacKay
2004-03-24 15:05 ` Henrik Nordstrom
2004-03-17 23:04 ` Creating rules without the /sbin/iptables command? John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1079573400.2112.13.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=hno@marasystems.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=victor@nk.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.