Re: invert problem with multiport

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Christoph Gossen <gosen@conterra.de>
To: netfilter@lists.samba.org
Subject: Re: invert problem with multiport
Date: Wed, 19 Jun 2002 10:12:39 +0200	[thread overview]
Message-ID: <3D103CF7.915F759F@conterra.de> (raw)
In-Reply-To: 200206181618.RAA27678@slate.rockstone.co.uk

Antony Stone wrote:
> 
> On Tuesday 18 June 2002 4:50 pm, Christoph Gossen wrote:
> 
> > Hello,
> >
> > I think there's a bug in the behaviour of the multiport module - for
> > example, a line like
> >
> >         iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP
> >
> > causes the same behaviour as
> >
> >         iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP
> >
> > or
> >
> >         iptables -p tcp -A OUTPUT --dport 25 -j DROP
> >
> > and NOT (as one would expect) that one caused by
> >
> >         iptables -p tcp -A OUTPUT ! --dport 25 -j DROP
> >
> > Inverting the (set of) port(s) due to the "!" sign in the first line
> > above is just ignored
> > (no syntax error occures)!
> >
> > Any comments?
> 
> I don't use the multiport match myself, but I'd expect it to be:
> 
> iptables -p tcp -A OUTPUT -m multiport --dport ! 25 -j DROP

I have already tried this - it causes a syntax error "invalid
port/service `!' specified"
(everything ok with this, to me).

> 
> In other words "a destination port which isn't 25"....
> 
> What does that do for you ?
> 
> I note from the man page for iptables, though, that --dport has the [ ! ]
> option, but "multiport --dport" doesn't, so maybe negating multiports is not
> supported at all ?

This is what I assume, too. However, the "!" should not be silently
ignored then
but rather a syntax error should arise (to avoid confusion, or even a
potential
source of error).

Hervé Eychenne wrote:
...
> multiport option is "--dports", not "--dport"...
> 
>  RV

This is not quite right, as one can abbreviate down to even "--dp" (I
guess THIS
is really a intended feature and not a bug).

I forgot to mention the iptables version I tried: It was version 1.2.2
and 1.2.6a.


Greetings,

Christoph

next prev parent reply	other threads:[~2002-06-19  8:12 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-18 15:50 invert problem with multiport Christoph Gossen
2002-06-18 16:18 ` Antony Stone
2002-06-19  8:12   ` Christoph Gossen [this message]
2002-06-18 22:18 ` Stewart Thompson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3D103CF7.915F759F@conterra.de \
    --to=gosen@conterra.de \
    --cc=netfilter@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.