Problem with two addrtype matches in one iptables rule.

Problem with two addrtype matches in one iptables rule.

[Taylor, Grant]

Hi, my name is Grant Taylor.  I'm playing with your addrtype match extension to iptables.  I must say that I like it very much.  However I have a slight problem with it.  Namely I am apparently only able to have one addrtype match in any given rule.  I would like to use two addrtype matches, one for the source address, and one for the destination address in my iptables rules.  Do you know of any limitations to the addrtype match extension that would be causing this?  Below is an example rule of what I am currently using as well as what I would like to be able to do:

# current rule:
iptables -t filter -A INPUT -i eth1 -m pkttype --pkt-type broadcast -m addrtype --src-type broadcast -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT

# desired rule:
iptables -t filter -A INPUT -i eth1 -m pkttype --pkt-type broadcast -m addrtype --src-type broadcast -m addrtype --dst-type broadcast -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT

Any comments or suggestions would be greatly appreciated.



Grant. . . .

P.S.  This email was sent to Patrick McHardy (directly) as well as CCed to the NetFilter (general) mailing list.

Re: Problem with two addrtype matches in one iptables rule.

[Patrick McHardy]

Taylor, Grant wrote:
> Hi, my name is Grant Taylor.  I'm playing with your addrtype match
> extension to iptables.  I must say that I like it very much.  However I
> have a slight problem with it.  Namely I am apparently only able to have
> one addrtype match in any given rule.  I would like to use two addrtype
> matches, one for the source address, and one for the destination address
> in my iptables rules.  Do you know of any limitations to the addrtype
> match extension that would be causing this?  Below is an example rule of
> what I am currently using as well as what I would like to be able to do:
> 
> # current rule:
> iptables -t filter -A INPUT -i eth1 -m pkttype --pkt-type broadcast -m
> addrtype --src-type broadcast -s 0.0.0.0 -d 255.255.255.255 -p udp
> --sport 68 --dport 67 -j ACCEPT
> 
> # desired rule:
> iptables -t filter -A INPUT -i eth1 -m pkttype --pkt-type broadcast -m
> addrtype --src-type broadcast -m addrtype --dst-type broadcast -s
> 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT
> 
> Any comments or suggestions would be greatly appreciated.

This is a known limitation of iptables:

/* FIXME: This scheme doesn't allow two of the same
   matches --RR */

It looks like fixing it would break compatibility because currently
arguments to matches can occur at any position:

iptables -A OUTPUT -m addrtype -p tcp --dst-type BROADCAST

I suggest you add the second match to a new chain and jump to it
from the first match.

Regards
Patrick

Re: Problem with two addrtype matches in one iptables rule.

[Taylor, Grant]

> This is a known limitation of iptables:
> 
> /* FIXME: This scheme doesn't allow two of the same
>    matches --RR */

*nod*  This explains a few things.  Thank you for the input.

> It looks like fixing it would break compatibility because currently
> arguments to matches can occur at any position:

Hmm...

> I suggest you add the second match to a new chain and jump to it
> from the first match.

I was afraid that I would have to do such.  It looks like I'll be playing with the GOTO target extension then.



Grant. . . .