From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: intrapositioned and extrapositioned negation
Date: Fri, 30 Oct 2009 15:48:08 +0100 [thread overview]
Message-ID: <4AEAFCA8.7070709@chello.at> (raw)
netfilter-owner@vger.kernel.org wrote:
> Mart Frauenlob wrote:
>
>> Mart Frauenlob wrote:
>>
>>> Hello,
>>>
>>> today I installed iptables 1.4.5 and discovered my ruleset produces
>>> those warnings about intrapositioned negation:
>>> Using intrapositioned negation (`--option ! this`) is deprecated in
>>> favor of extrapositioned (`! --option this`).
>>>
>>> I haven't completely looked up the changelogs, but from what I've
>>> found on the internet, this was introduced with 1.4.3.1, right?
>>>
>>> However, my ruleset is automatically generated by a self written shell
>>> script, which I now need to change.
>>> It needs to work with any 2.6 kernel and with 2.4 kernels supporting
>>> iptables.
>>> As my testing options (hardware, time) are limited, I'm asking if
>>> someone knows:
>>>
>>> Will 2.4 kernels and older iptables versions accept the
>>> extrapositioned (`! --option this`) notation?
>>> If so, I can rewrite my script to always use extrapositioned syntax.
>>> Lot's of work, but ok...
>>>
>>> If not, what kernel / iptables versions do only understand the old
>>> deprecated way?
>>> So I can query for them and take the appropriate steps.
>>>
>>> Thanks a lot!
>>>
>> Nobody knows?
>> Well, I've found some old virtual machines, tested it with debian woody
>> and sarge, using kernel 2.4.18.bf2-4 and 2.6.18 and extrapositioned
>> negation does not seem to cause problems.
>> Am I right to assume, that all 2.4 kernels with iptables support - DON'T
>> have troubles using extrapositioned negation???
>>
>
> The kernel doesn't care about how you specify negation, its purely
> a userspace thing. So yes, it should work properly on any kernel
> version.
>
Hello netfilter-owner@vger.kernel.org :)
thanks for pointing that out.
In my second post I forgot to ask about the compatible iptables version.
The lowest version I tested on debian woody is: 1.2.6a.
Rephrased, do I have to expect problems using extrapositioned negation
on older iptables versions?
Sidenote to the devels ;-P :
The man page has documented intrapositioned negation for years, this is
the only note in the changelog for 1.4.3.2:
> iptables: print negation extrapositioned
>
It's like with the DROP in the nat table, a short note in the change
log, and the whole world has to find out what's going on, and change
their programs/scripts.
Imho, changes like those should be worth a few explaining sentences.
Thanks and regards
Mart
next reply other threads:[~2009-10-30 14:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-30 14:48 Mart Frauenlob [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-10-20 10:59 intrapositioned and extrapositioned negation Mart Frauenlob
2009-10-29 9:04 ` Mart Frauenlob
2009-10-30 9:56 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AEAFCA8.7070709@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.