ACCEPT/DROP

All of lore.kernel.org
 help / color / mirror / Atom feed

* ACCEPT/DROP
@ 2002-12-20 10:42 Venkatesh Prasad Ranganath
  2002-12-20 11:36 ` ACCEPT/DROP Thomas Heinz
  0 siblings, 1 reply; 2+ messages in thread
From: Venkatesh Prasad Ranganath @ 2002-12-20 10:42 UTC (permalink / raw)
  To: netfilter; +Cc: nf

Hi,

I was looking into the iptables implementation and was intrigued about 
how iptables would handle a situation in which we have identical rules 
except for their targets which are contradicting, say ACCEPT and DROP. 
 By looking at ipt_do_table() function it seems that the first 
non-IPT_RETURN  verdict from any standard target will end the traversal 
of a chain of a table, which seems to be a bit odd.  First, such 
conflicting rules must not be allowed.  Even beyond, this fails in the 
situation where you have a dropping rule added after an accepting rule.

For example, a packet from m.n.o.p to a.b.c.d would be accepted at 
a.b.c.d because of the first rule, although it had to be dropped 
according to the second rule.   And this would result because of the 
order in which the rules are added to the table.

iptables -A INPUT -d a.b.c.d -j ACCEPT
iptables -A INPUT -s m.n.o.p -j DROP

Is my understanding correct?  If so, I am curious to know how nf-hipac 
behaves in such situations?

waiting for reply,

-- 

Venkatesh Prasad Ranganath,
Dept. Computing and Information Science,
Kansas State University, US.
web: http://www.cis.ksu.edu/~rvprasad

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: ACCEPT/DROP
  2002-12-20 10:42 ACCEPT/DROP Venkatesh Prasad Ranganath
@ 2002-12-20 11:36 ` Thomas Heinz
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Heinz @ 2002-12-20 11:36 UTC (permalink / raw)
  To: Venkatesh Prasad Ranganath; +Cc: netfilter, nf

Hi Venkatesh

You wrote:
> I was looking into the iptables implementation and was intrigued about 
> how iptables would handle a situation in which we have identical rules 
> except for their targets which are contradicting, say ACCEPT and DROP. 
> By looking at ipt_do_table() function it seems that the first 
> non-IPT_RETURN  verdict from any standard target will end the traversal 
> of a chain of a table, which seems to be a bit odd.  First, such 
> conflicting rules must not be allowed.  Even beyond, this fails in the 
> situation where you have a dropping rule added after an accepting rule.

You misunderstand the definition of conflicting rules in the context
of the packet classification problem. A conflict occurs if there are
two or more matching rules with the same minimal cost. Since the cost of
a rule is equivalent to its position in the chain[1] and the position is
unique there are no conflicts by definition.
This holds for both iptables and nf-hipac.

[1] at least if you're not using user-defined chains; but even if user-
     defined chains come into play the costs are in fact unique

> For example, a packet from m.n.o.p to a.b.c.d would be accepted at 
> a.b.c.d because of the first rule, although it had to be dropped 
> according to the second rule.   And this would result because of the 
> order in which the rules are added to the table.

This behaviour is intended. The packet classification problem is about
finding the matching rule with minimal cost.


Thomas




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2002-12-20 11:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-20 10:42 ACCEPT/DROP Venkatesh Prasad Ranganath
2002-12-20 11:36 ` ACCEPT/DROP Thomas Heinz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.