From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mart Frauenlob Subject: Re: intrapositioned and extrapositioned negation Date: Fri, 30 Oct 2009 15:48:08 +0100 Message-ID: <4AEAFCA8.7070709@chello.at> Reply-To: netfilter@vger.kernel.org Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@vger.kernel.org netfilter-owner@vger.kernel.org wrote: > Mart Frauenlob wrote: > >> Mart Frauenlob wrote: >> >>> Hello, >>> >>> today I installed iptables 1.4.5 and discovered my ruleset produces >>> those warnings about intrapositioned negation: >>> Using intrapositioned negation (`--option ! this`) is deprecated in >>> favor of extrapositioned (`! --option this`). >>> >>> I haven't completely looked up the changelogs, but from what I've >>> found on the internet, this was introduced with 1.4.3.1, right? >>> >>> However, my ruleset is automatically generated by a self written shell >>> script, which I now need to change. >>> It needs to work with any 2.6 kernel and with 2.4 kernels supporting >>> iptables. >>> As my testing options (hardware, time) are limited, I'm asking if >>> someone knows: >>> >>> Will 2.4 kernels and older iptables versions accept the >>> extrapositioned (`! --option this`) notation? >>> If so, I can rewrite my script to always use extrapositioned syntax. >>> Lot's of work, but ok... >>> >>> If not, what kernel / iptables versions do only understand the old >>> deprecated way? >>> So I can query for them and take the appropriate steps. >>> >>> Thanks a lot! >>> >> Nobody knows? >> Well, I've found some old virtual machines, tested it with debian woody >> and sarge, using kernel 2.4.18.bf2-4 and 2.6.18 and extrapositioned >> negation does not seem to cause problems. >> Am I right to assume, that all 2.4 kernels with iptables support - DON'T >> have troubles using extrapositioned negation??? >> > > The kernel doesn't care about how you specify negation, its purely > a userspace thing. So yes, it should work properly on any kernel > version. > Hello netfilter-owner@vger.kernel.org :) thanks for pointing that out. In my second post I forgot to ask about the compatible iptables version. The lowest version I tested on debian woody is: 1.2.6a. Rephrased, do I have to expect problems using extrapositioned negation on older iptables versions? Sidenote to the devels ;-P : The man page has documented intrapositioned negation for years, this is the only note in the changelog for 1.4.3.2: > iptables: print negation extrapositioned > It's like with the DROP in the nat table, a short note in the change log, and the whole world has to find out what's going on, and change their programs/scripts. Imho, changes like those should be worth a few explaining sentences. Thanks and regards Mart