From: vitry <vitry.es@gmail.com>
To: netfilter@vger.kernel.org
Subject: Possible bug in owner match
Date: Mon, 01 Jun 2009 18:36:42 +0200 [thread overview]
Message-ID: <4A24039A.3080006@gmail.com> (raw)
Hi to all,
I want to report a possible bug in owner match with uid test not submit
in iptables.git (in olders versions it works fine)
host: Linux iris 2.6.26-2-amd64 #1 SMP Fri Mar 27 04:02:59 UTC 2009
x86_64 GNU/Linux
iptables v1.4.3.1
fw: Linux Firewall-2 2.6.28.9 #5 Fri Mar 27 06:52:33 CET 2009 mips
unknown
iptables v1.4.3.1
Problem with UID (Not match):
/iris:~# iptables -t mangle -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 3538K packets, 216M bytes)
pkts bytes target prot opt in out source
destination
1806 152K TOS all -- * * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
owner UID match 1002 TOS set 0x40/0xc0
root@Firewall-2:~# iptables -t mangle -Z
1002:1002@iris//# ping -c 1 192.168.10.1
root@Firewall-2:~# iptables -t mangle -L PREROUTING -v
-n
Chain PREROUTING (policy ACCEPT 226 packets, 76471 bytes)
pkts bytes target prot opt in out source
destination
0 0 MARK all -- eth0.0 * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tos
match 0x40/0xc0 MARK xset 0x2/0xffffffff
0 0 MARK all -- eth0.0 * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tos
match 0x80/0xc0 MARK xset 0x3/0xffffffff
0 0 MARK all -- eth0.0 * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tos
match 0xc0/0xc0 MARK xset 0x4/0xffffffff
/Solved with GID (Match correctly):
/iris:~# iptables -t mangle -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 3538K packets, 216M bytes)
pkts bytes target prot opt in out source
destination
1806 152K TOS all -- * * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
owner GID match 1002 TOS set 0x40/0xc0
root@Firewall-2:~# iptables -t mangle -Z
1002:1002@iris//# ping -c 1 192.168.10.1
root@Firewall-2:~# iptables -t mangle -L PREROUTING -v -n
Chain PREROUTING (policy ACCEPT 7151 packets, 4273K bytes)
pkts bytes target prot opt in out source
destination
1 84 MARK all -- eth0.0 * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tos
match 0x40/0xc0 MARK xset 0x2/0xffffffff
0 0 MARK all -- eth0.0 * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tos
match 0x80/0xc0 MARK xset 0x3/0xffffffff
0 0 MARK all -- eth0.0 * 0.0.0.0/0
<http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tos
match 0xc0/0xc0 MARK xset 0x4/0xffffffff
/
Best regards,
vitry
reply other threads:[~2009-06-01 16:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A24039A.3080006@gmail.com \
--to=vitry.es@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.