[PATCH] Unspecified proto should print as "all" in iptables -L

[PATCH] Unspecified proto should print as "all" in iptables -L

[Phil Oester]

[-- Attachment #1: Type: text/plain, Size: 257 bytes --]

In fixing bug #446 [1], the output for unspecified proto was changed
from "all" to "0".  This reverts to the original behaviour, and
closes bugzilla #543.

Phil

[1] http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/iptables/ip6tables.c?r1=6465&r2=6466




[-- Attachment #2: patch-ipt-proto-all --]
[-- Type: text/plain, Size: 302 bytes --]

diff -ru ipt-orig/iptables.c ipt-new/iptables.c
--- ipt-orig/iptables.c	2007-03-20 08:51:41.000000000 -0700
+++ ipt-new/iptables.c	2007-04-28 14:51:02.000000000 -0700
@@ -232,6 +232,7 @@
 	{ "esp", IPPROTO_ESP },
 	{ "ah", IPPROTO_AH },
 	{ "sctp", IPPROTO_SCTP },
+	{ "all", 0 },
 };
 
 static char *

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Pablo Neira Ayuso]

Phil Oester wrote:
> In fixing bug #446 [1], the output for unspecified proto was changed
> from "all" to "0".  This reverts to the original behaviour, and
> closes bugzilla #543.

Applied a similar patch to ip6tables.c, thanks Phil. You're doing a nice
work closing open bugs in bugzilla.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Jan Engelhardt]

On Apr 30 2007 01:06, Pablo Neira Ayuso wrote:
>Phil Oester wrote:
>> In fixing bug #446 [1], the output for unspecified proto was changed
>> from "all" to "0".  This reverts to the original behaviour, and
>> closes bugzilla #543.
>
>Applied a similar patch to ip6tables.c, thanks Phil. You're doing a nice
>work closing open bugs in bugzilla.

Hey btw, how would you go about matching protocol 0 since 0 is unfortunately
defined as "all" in iptables?


Jan
-- 

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Phil Oester]

On Mon, Apr 30, 2007 at 10:38:38AM +0200, Jan Engelhardt wrote:
> Hey btw, how would you go about matching protocol 0 since 0 is unfortunately
> defined as "all" in iptables?

I suppose you wouldn't, although AFAIK protocol 0 isn't actively
used.  Have you seen it used in the wild?

Phil

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Jan Engelhardt]

On Apr 30 2007 10:13, Phil Oester wrote:
>On Mon, Apr 30, 2007 at 10:38:38AM +0200, Jan Engelhardt wrote:
>> Hey btw, how would you go about matching protocol 0 since 0 is unfortunately
>> defined as "all" in iptables?
>
>I suppose you wouldn't, although AFAIK protocol 0 isn't actively
>used.  Have you seen it used in the wild?

/etc/protocols lists ipv6hopbyhop as 0.
But also see
http://lists.netfilter.org/pipermail/netfilter/2007-April/068496.html


Jan
-- 

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Phil Oester]

On Mon, Apr 30, 2007 at 07:25:17PM +0200, Jan Engelhardt wrote:
> On Apr 30 2007 10:13, Phil Oester wrote:
> >On Mon, Apr 30, 2007 at 10:38:38AM +0200, Jan Engelhardt wrote:
> >> Hey btw, how would you go about matching protocol 0 since 0 is unfortunately
> >> defined as "all" in iptables?
> >
> >I suppose you wouldn't, although AFAIK protocol 0 isn't actively
> >used.  Have you seen it used in the wild?
> 
> /etc/protocols lists ipv6hopbyhop as 0.
> But also see
> http://lists.netfilter.org/pipermail/netfilter/2007-April/068496.html

That is indeed unfortunate, but at this point we can't change the
meaning of this within iptables without potentially breaking compatibility
with existing rulesets.  Perhaps someone is using a rule such as this:

    -p 0 -j DROP

to drop all traffic to a box.  If we changed it, now it would only block
protocol 0.

Sure, far-fetched, but I think our hands are tied to the current definition.

Phil

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Jorge Davila]

I was trying to apply a rule

iptables -p 0 -j DROP

to block only the protocol 0. I know now why that rule was not working.

I think that -p 0 must be a reference to the protocol 0 and not to all 
protocols.

Jorge.

On Mon, 30 Apr 2007 10:36:54 -0700
  Phil Oester <kernel@linuxace.com> wrote:
> On Mon, Apr 30, 2007 at 07:25:17PM +0200, Jan Engelhardt wrote:
>> On Apr 30 2007 10:13, Phil Oester wrote:
>> >On Mon, Apr 30, 2007 at 10:38:38AM +0200, Jan Engelhardt wrote:
>> >> Hey btw, how would you go about matching protocol 0 since 0 is 
>>unfortunately
>> >> defined as "all" in iptables?
>> >
>> >I suppose you wouldn't, although AFAIK protocol 0 isn't actively
>> >used.  Have you seen it used in the wild?
>> 
>> /etc/protocols lists ipv6hopbyhop as 0.
>> But also see
>> http://lists.netfilter.org/pipermail/netfilter/2007-April/068496.html
> 
> That is indeed unfortunate, but at this point we can't change the
> meaning of this within iptables without potentially breaking compatibility
> with existing rulesets.  Perhaps someone is using a rule such as this:
> 
>    -p 0 -j DROP
> 
> to drop all traffic to a box.  If we changed it, now it would only block
> protocol 0.
> 
> Sure, far-fetched, but I think our hands are tied to the current 
>definition.
> 
> Phil
> 
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@nicaraguaopensource.com

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Phil Oester]

On Mon, Apr 30, 2007 at 12:17:13PM -0600, Jorge Davila wrote:
> I was trying to apply a rule
> 
> iptables -p 0 -j DROP
> 
> to block only the protocol 0. I know now why that rule was not working.
> 
> I think that -p 0 must be a reference to the protocol 0 and not to all 
> protocols.
> 
> Jorge.

Which application uses protocol 0?  Or is this a custom app you wrote?

Phil

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Jorge Davila]

Sorry for the delay in answering your question ...

Well, it's because some users inside the internal networks under my 
administration visit http://www.grc.com/ and run the Shields Up! to see the 
open ports in the gateways and they see the port 0 open. That was the reason 
to apply the rule.

Jorge.

On Mon, 30 Apr 2007 13:09:30 -0700
  Phil Oester <kernel@linuxace.com> wrote:
> On Mon, Apr 30, 2007 at 12:17:13PM -0600, Jorge Davila wrote:
>> I was trying to apply a rule
>> 
>> iptables -p 0 -j DROP
>> 
>> to block only the protocol 0. I know now why that rule was not working.
>> 
>> I think that -p 0 must be a reference to the protocol 0 and not to all 
>> protocols.
>> 
>> Jorge.
> 
> Which application uses protocol 0?  Or is this a custom app you wrote?
> 
> Phil
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@nicaraguaopensource.com

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Carl-Daniel Hailfinger]

On 03.05.2007 18:16, Jorge Davila wrote:
> Well, it's because some users inside the internal networks under my
> administration visit http://www.grc.com/ and run the Shields Up! to see
> the open ports in the gateways and they see the port 0 open. That was
> the reason to apply the rule.

Ah cool, that's another datapoint when trying to guess the firewall
ruleset. Port 0 not filtered roughly means "default policy is ACCEPT".
(Well, not quite. But close.)

Regards,
Carl-Daniel

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Phil Oester]

On Thu, May 03, 2007 at 06:33:47PM +0200, Carl-Daniel Hailfinger wrote:
> On 03.05.2007 18:16, Jorge Davila wrote:
> > Well, it's because some users inside the internal networks under my
> > administration visit http://www.grc.com/ and run the Shields Up! to see
> > the open ports in the gateways and they see the port 0 open. That was
> > the reason to apply the rule.
> 
> Ah cool, that's another datapoint when trying to guess the firewall
> ruleset. Port 0 not filtered roughly means "default policy is ACCEPT".
> (Well, not quite. But close.)

Let's be clear here...we aren't talking about _PORT_ zero.  We're talking
about _PROTOCOL_ zero.  Can you please elaborate on the specific need
to filter _PROTOCOL_ zero?

Phil

Re: [PATCH] Unspecified proto should print as "all" in iptables -L

[Carl-Daniel Hailfinger]

On 03.05.2007 19:31, Phil Oester wrote:
> On Thu, May 03, 2007 at 06:33:47PM +0200, Carl-Daniel Hailfinger wrote:
>> On 03.05.2007 18:16, Jorge Davila wrote:
>>> Well, it's because some users inside the internal networks under my
>>> administration visit http://www.grc.com/ and run the Shields Up! to see
>>> the open ports in the gateways and they see the port 0 open. That was
>>> the reason to apply the rule.
>> Ah cool, that's another datapoint when trying to guess the firewall
>> ruleset. Port 0 not filtered roughly means "default policy is ACCEPT".
>> (Well, not quite. But close.)
> 
> Let's be clear here...we aren't talking about _PORT_ zero.  We're talking
> about _PROTOCOL_ zero.  Can you please elaborate on the specific need
> to filter _PROTOCOL_ zero?

Sorry, my bad. There is no specific need on my side. It's just that
some creative use of nmap enables me to learn more about target systems.
I am entirely happy with the current situation.

Regards,
Carl-Daniel

Re: How to match protocol 0

[Jan Engelhardt]

Hello all,


regarding your questions in
http://lists.netfilter.org/pipermail/netfilter/2007-April/068496.html 
and the thread
http://lists.netfilter.org/pipermail/netfilter-devel/2007-April/027675.html

I think it's actually quite easy. How about:

	iptables -m u32 --u32 "8&0x0F00=0"

This takes bytes 8+4 of a packet (bytes 8,9,10,11), ANDs it with 0x0F00, 
so as to get only byte 9 (which is the IPv4 field for the Layer4 
protocol) and see if it is 0.

(Yes, we would have to use a shift before comparing, but since comparing 
for protocol zero, it does not matter.)

Ok, everyone got that? :)


	Jan
-- 

Re: How to match protocol 0

[Jan Engelhardt]

On Jun 2 2007 20:49, Jan Engelhardt wrote:
>Hello all,
>
>
>regarding your questions in
>http://lists.netfilter.org/pipermail/netfilter/2007-April/068496.html 
>and the thread
>http://lists.netfilter.org/pipermail/netfilter-devel/2007-April/027675.html
>
>I think it's actually quite easy. How about:
>
>	iptables -m u32 --u32 "8&0x0F00=0"

minor glitch, it should read:
for TCP (prot  6): iptables -m u32 --u32 "8 & 0x00FF0000 = 0x00060000"
for UDP (prot 17): iptables -m u32 --u32 "8 & 0x00FF0000 = 0x00110000"
for HBH (prot  0): iptables -m u32 --u32 "8 & 0x00FF0000 = 0x00000000"

(Leading zeroes can be omitted of course.)
And, for example completeness, have some shift,

TCP: iptables -m u32 --u32 "8 & 0xFF0000 >> 16 = 6"

Happy matching.



	Jan
--