multiport needs `-p tcp', `-p udp'

All of lore.kernel.org
 help / color / mirror / Atom feed

* multiport needs `-p tcp', `-p udp' - Why?
@ 2010-02-27 15:03 U. George
  2010-02-27 15:06 ` ratheesh k
  0 siblings, 1 reply; 14+ messages in thread
From: U. George @ 2010-02-27 15:03 UTC (permalink / raw)
  To: netfilter

In order to get to the chain, the protocol, as well as the interface 
must match. PRE_UDP if already filtered for "-p udp" . So why does 
multiport require another check for -p udp? Does it really need to have 
that option in order for it to work?

> + /sbin/iptables -t filter -N PRE_UDP
> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport 137,138,139,512,514,515,1433,1434 -j DROP
> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p sctp' or `-p dccp'
> Try `iptables -h' or 'iptables --help' for more information.




^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-27 15:03 multiport needs `-p tcp', `-p udp' - Why? U. George
@ 2010-02-27 15:06 ` ratheesh k
  2010-02-27 16:17   ` U. George
  0 siblings, 1 reply; 14+ messages in thread
From: ratheesh k @ 2010-02-27 15:06 UTC (permalink / raw)
  To: U. George; +Cc: netfilter

Port is in Layer 4 of protocol stack .


On Sat, Feb 27, 2010 at 8:33 PM, U. George <netbeans@gatworks.com> wrote:
> In order to get to the chain, the protocol, as well as the interface must
> match. PRE_UDP if already filtered for "-p udp" . So why does multiport
> require another check for -p udp? Does it really need to have that option in
> order for it to work?
>
>> + /sbin/iptables -t filter -N PRE_UDP
>> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
>> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport
>> 137,138,139,512,514,515,1433,1434 -j DROP
>> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p
>> sctp' or `-p dccp'
>> Try `iptables -h' or 'iptables --help' for more information.
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-27 15:06 ` ratheesh k
@ 2010-02-27 16:17   ` U. George
  2010-02-27 16:46     ` ratheesh k
                       ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: U. George @ 2010-02-27 16:17 UTC (permalink / raw)
  Cc: netfilter

U'll have to let me know why "-p udp" is needed when the chain can only 
have udp packets, and therefor can only process udp packets.

I dont want to test over (( and over ) and over ) again when I know that 
the packet is already KNOWN to be from eth1 and of protocol UDP.

adding "-p UDP" to multiport does make iptables happy, but appears to be 
a useless test.

On 02/27/2010 10:06 AM, ratheesh k wrote:
> Port is in Layer 4 of protocol stack .
>
>
> On Sat, Feb 27, 2010 at 8:33 PM, U. George<netbeans@gatworks.com>  wrote:
>> In order to get to the chain, the protocol, as well as the interface must
>> match. PRE_UDP if already filtered for "-p udp" . So why does multiport
>> require another check for -p udp? Does it really need to have that option in
>> order for it to work?
>>
>>> + /sbin/iptables -t filter -N PRE_UDP
>>> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
>>> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport
>>> 137,138,139,512,514,515,1433,1434 -j DROP
>>> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p
>>> sctp' or `-p dccp'
>>> Try `iptables -h' or 'iptables --help' for more information.
>>
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-27 16:17   ` U. George
@ 2010-02-27 16:46     ` ratheesh k
  2010-02-27 17:28       ` U. George
  2010-02-27 17:18     ` Dennis J.
  2010-02-28  6:54     ` Mart Frauenlob
  2 siblings, 1 reply; 14+ messages in thread
From: ratheesh k @ 2010-02-27 16:46 UTC (permalink / raw)
  To: U. George; +Cc: netfilter

port offset may be differ  based on which layer 4 protocol , you are
using . If u dont specify protocol ( layer 4 ) , netfilter dont know
this .


Please find below some code sinppet from  xt_multiport.c .


113  pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports);
114         if (pptr == NULL) {
115                 /* We've been asked to examine this packet, and we
116                  * can't.  Hence, no choice but to drop.
117                  */
118                 duprintf("xt_multiport: Dropping evil offset=0
tinygram.\n");
119                 *hotdrop = 1;
120                 return 0;
121         }
122
123         return ports_match(multiinfo->ports,
124                            multiinfo->flags, multiinfo->count,
125                            ntohs(pptr[0]), ntohs(pptr[1]));

thanks,
Ratheesh



On Sat, Feb 27, 2010 at 9:47 PM, U. George <netbeans@gatworks.com> wrote:
> U'll have to let me know why "-p udp" is needed when the chain can only have
> udp packets, and therefor can only process udp packets.
>
> I dont want to test over (( and over ) and over ) again when I know that the
> packet is already KNOWN to be from eth1 and of protocol UDP.
>
> adding "-p UDP" to multiport does make iptables happy, but appears to be a
> useless test.
>
> On 02/27/2010 10:06 AM, ratheesh k wrote:
>>
>> Port is in Layer 4 of protocol stack .
>>
>>
>> On Sat, Feb 27, 2010 at 8:33 PM, U. George<netbeans@gatworks.com>  wrote:
>>>
>>> In order to get to the chain, the protocol, as well as the interface must
>>> match. PRE_UDP if already filtered for "-p udp" . So why does multiport
>>> require another check for -p udp? Does it really need to have that option
>>> in
>>> order for it to work?
>>>
>>>> + /sbin/iptables -t filter -N PRE_UDP
>>>> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
>>>> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport
>>>> 137,138,139,512,514,515,1433,1434 -j DROP
>>>> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p
>>>> sctp' or `-p dccp'
>>>> Try `iptables -h' or 'iptables --help' for more information.
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-27 16:46     ` ratheesh k
@ 2010-02-27 17:28       ` U. George
  0 siblings, 0 replies; 14+ messages in thread
From: U. George @ 2010-02-27 17:28 UTC (permalink / raw)
  To: ratheesh k; +Cc: netfilter

source      port offset for udp and tcp are both at  0 for IPv4
destination port offset for udp and tcp are both at 16 for IPv4


On 02/27/2010 11:46 AM, ratheesh k wrote:
> port offset may be differ  based on which layer 4 protocol , you are
> using . If u dont specify protocol ( layer 4 ) , netfilter dont know
> this .
>
>
> Please find below some code sinppet from  xt_multiport.c .
>
>
> 113  pptr = skb_header_pointer(skb, protoff, sizeof(_ports), _ports);
> 114         if (pptr == NULL) {
> 115                 /* We've been asked to examine this packet, and we
> 116                  * can't.  Hence, no choice but to drop.
> 117                  */
> 118                 duprintf("xt_multiport: Dropping evil offset=0
> tinygram.\n");
> 119                 *hotdrop = 1;
> 120                 return 0;
> 121         }
> 122
> 123         return ports_match(multiinfo->ports,
> 124                            multiinfo->flags, multiinfo->count,
> 125                            ntohs(pptr[0]), ntohs(pptr[1]));
>
> thanks,
> Ratheesh
>
>
>
> On Sat, Feb 27, 2010 at 9:47 PM, U. George<netbeans@gatworks.com>  wrote:
>> U'll have to let me know why "-p udp" is needed when the chain can only have
>> udp packets, and therefor can only process udp packets.
>>
>> I dont want to test over (( and over ) and over ) again when I know that the
>> packet is already KNOWN to be from eth1 and of protocol UDP.
>>
>> adding "-p UDP" to multiport does make iptables happy, but appears to be a
>> useless test.
>>
>> On 02/27/2010 10:06 AM, ratheesh k wrote:
>>>
>>> Port is in Layer 4 of protocol stack .
>>>
>>>
>>> On Sat, Feb 27, 2010 at 8:33 PM, U. George<netbeans@gatworks.com>    wrote:
>>>>
>>>> In order to get to the chain, the protocol, as well as the interface must
>>>> match. PRE_UDP if already filtered for "-p udp" . So why does multiport
>>>> require another check for -p udp? Does it really need to have that option
>>>> in
>>>> order for it to work?
>>>>
>>>>> + /sbin/iptables -t filter -N PRE_UDP
>>>>> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
>>>>> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport
>>>>> 137,138,139,512,514,515,1433,1434 -j DROP
>>>>> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p
>>>>> sctp' or `-p dccp'
>>>>> Try `iptables -h' or 'iptables --help' for more information.
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-27 16:17   ` U. George
  2010-02-27 16:46     ` ratheesh k
@ 2010-02-27 17:18     ` Dennis J.
  2010-02-28  6:54     ` Mart Frauenlob
  2 siblings, 0 replies; 14+ messages in thread
From: Dennis J. @ 2010-02-27 17:18 UTC (permalink / raw)
  To: netfilter

Rules are independent. The port rule does inherit anything from the chain 
rule so when you tell iptables to block port(s) you have to specify the 
protocol again.

Regards,
   Dennis

On 02/27/2010 05:17 PM, U. George wrote:
> U'll have to let me know why "-p udp" is needed when the chain can only
> have udp packets, and therefor can only process udp packets.
>
> I dont want to test over (( and over ) and over ) again when I know that
> the packet is already KNOWN to be from eth1 and of protocol UDP.
>
> adding "-p UDP" to multiport does make iptables happy, but appears to be
> a useless test.
>
> On 02/27/2010 10:06 AM, ratheesh k wrote:
>> Port is in Layer 4 of protocol stack .
>>
>>
>> On Sat, Feb 27, 2010 at 8:33 PM, U. George<netbeans@gatworks.com> wrote:
>>> In order to get to the chain, the protocol, as well as the interface
>>> must
>>> match. PRE_UDP if already filtered for "-p udp" . So why does multiport
>>> require another check for -p udp? Does it really need to have that
>>> option in
>>> order for it to work?
>>>
>>>> + /sbin/iptables -t filter -N PRE_UDP
>>>> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
>>>> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport
>>>> 137,138,139,512,514,515,1433,1434 -j DROP
>>>> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p
>>>> sctp' or `-p dccp'
>>>> Try `iptables -h' or 'iptables --help' for more information.
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-27 16:17   ` U. George
  2010-02-27 16:46     ` ratheesh k
  2010-02-27 17:18     ` Dennis J.
@ 2010-02-28  6:54     ` Mart Frauenlob
  2010-02-28 10:53       ` ratheesh k
  2010-02-28 13:59       ` U. George
  2 siblings, 2 replies; 14+ messages in thread
From: Mart Frauenlob @ 2010-02-28  6:54 UTC (permalink / raw)
  To: netfilter

On 27.02.2010 17:17, netfilter-owner@vger.kernel.org wrote:
> U'll have to let me know why "-p udp" is needed when the chain can only
> have udp packets, and therefor can only process udp packets.
> 
> I dont want to test over (( and over ) and over ) again when I know that
> the packet is already KNOWN to be from eth1 and of protocol UDP.

now if we add -p icmp -j PRE_UDP,  what should iptables do now?

use 'ferm' if you are too lazy to write iptables rules:
http://ferm.foo-projects.org/

> 
> adding "-p UDP" to multiport does make iptables happy, but appears to be
> a useless test.
> 
> On 02/27/2010 10:06 AM, ratheesh k wrote:
>> Port is in Layer 4 of protocol stack .

Very useless response ...


>>
>>
>> On Sat, Feb 27, 2010 at 8:33 PM, U. George<netbeans@gatworks.com>  wrote:
>>> In order to get to the chain, the protocol, as well as the interface
>>> must
>>> match. PRE_UDP if already filtered for "-p udp" . So why does multiport
>>> require another check for -p udp? Does it really need to have that
>>> option in
>>> order for it to work?
>>>
>>>> + /sbin/iptables -t filter -N PRE_UDP
>>>> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
>>>> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport
>>>> 137,138,139,512,514,515,1433,1434 -j DROP
>>>> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p
>>>> sctp' or `-p dccp'
>>>> Try `iptables -h' or 'iptables --help' for more information.


TOP POSTING is <-- censored -->...

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-28  6:54     ` Mart Frauenlob
@ 2010-02-28 10:53       ` ratheesh k
  2010-02-28 13:59       ` U. George
  1 sibling, 0 replies; 14+ messages in thread
From: ratheesh k @ 2010-02-28 10:53 UTC (permalink / raw)
  To: netfilter

>> On 02/27/2010 10:06 AM, ratheesh k wrote:
>>> Port is in Layer 4 of protocol stack .
>
> Very useless response ...
>

Very true .
No more top posting . I did it by mistake .sorry.

Thanks,
Ratheesh



On Sun, Feb 28, 2010 at 12:24 PM, Mart Frauenlob
<mart.frauenlob@chello.at> wrote:
> On 27.02.2010 17:17, netfilter-owner@vger.kernel.org wrote:
>> U'll have to let me know why "-p udp" is needed when the chain can only
>> have udp packets, and therefor can only process udp packets.
>>
>> I dont want to test over (( and over ) and over ) again when I know that
>> the packet is already KNOWN to be from eth1 and of protocol UDP.
>
> now if we add -p icmp -j PRE_UDP,  what should iptables do now?
>
> use 'ferm' if you are too lazy to write iptables rules:
> http://ferm.foo-projects.org/
>
>>
>> adding "-p UDP" to multiport does make iptables happy, but appears to be
>> a useless test.
>>
>> On 02/27/2010 10:06 AM, ratheesh k wrote:
>>> Port is in Layer 4 of protocol stack .
>
> Very useless response ...
>
>
>>>
>>>
>>> On Sat, Feb 27, 2010 at 8:33 PM, U. George<netbeans@gatworks.com>  wrote:
>>>> In order to get to the chain, the protocol, as well as the interface
>>>> must
>>>> match. PRE_UDP if already filtered for "-p udp" . So why does multiport
>>>> require another check for -p udp? Does it really need to have that
>>>> option in
>>>> order for it to work?
>>>>
>>>>> + /sbin/iptables -t filter -N PRE_UDP
>>>>> + /sbin/iptables -t filter -A INPUT -i eth1 -p udp -j PRE_UDP
>>>>> + /sbin/iptables -t filter -A PRE_UDP -m multiport --dport
>>>>> 137,138,139,512,514,515,1433,1434 -j DROP
>>>>> iptables v1.4.5: multiport needs `-p tcp', `-p udp', `-p udplite', `-p
>>>>> sctp' or `-p dccp'
>>>>> Try `iptables -h' or 'iptables --help' for more information.
>
>
> TOP POSTING is <-- censored -->...
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-28  6:54     ` Mart Frauenlob
  2010-02-28 10:53       ` ratheesh k
@ 2010-02-28 13:59       ` U. George
  2010-02-28 14:41         ` Mart Frauenlob
  1 sibling, 1 reply; 14+ messages in thread
From: U. George @ 2010-02-28 13:59 UTC (permalink / raw)
  To: netfilter



On 02/28/2010 01:54 AM, Mart Frauenlob wrote:
>> >  I dont want to test over (( and over ) and over ) again when I know that
>> >  the packet is already KNOWN to be from eth1 and of protocol UDP.
> now if we add -p icmp -j PRE_UDP,  what should iptables do now?
>
> use 'ferm' if you are too lazy to write iptables rules:
> http://ferm.foo-projects.org/
>
>> >
Do what *I* say it should be doing. Do the jump. None of the tests in 
PRE_UDP chain would/should match, and the packet should fall out by the 
default policy of the chain. An iptable optimizer would recognize that 
the chain only tests for UDP, and would change the -p icmp -j PRE_UDP to 
-p icmp -j $(default policy) without going through any of the chain.

BTW: its not lazy to write efficient code.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-28 13:59       ` U. George
@ 2010-02-28 14:41         ` Mart Frauenlob
  2010-02-28 15:17           ` U. George
  0 siblings, 1 reply; 14+ messages in thread
From: Mart Frauenlob @ 2010-02-28 14:41 UTC (permalink / raw)
  To: netfilter

On 28.02.2010 14:59, netfilter-owner@vger.kernel.org wrote:
> 
> 
> On 02/28/2010 01:54 AM, Mart Frauenlob wrote:
>>> >  I dont want to test over (( and over ) and over ) again when I
>>> know that
>>> >  the packet is already KNOWN to be from eth1 and of protocol UDP.
>> now if we add -p icmp -j PRE_UDP,  what should iptables do now?
>>
>> use 'ferm' if you are too lazy to write iptables rules:
>> http://ferm.foo-projects.org/
>>
>>> >
> Do what *I* say it should be doing. Do the jump. None of the tests in
> PRE_UDP chain would/should match, and the packet should fall out by the
> default policy of the chain. An iptable optimizer would recognize that
> the chain only tests for UDP, and would change the -p icmp -j PRE_UDP to
> -p icmp -j $(default policy) without going through any of the chain.

which of the 2 jumps is to give precedence?
how to judge? read your mind?

> 
> BTW: its not lazy to write efficient code.

ok, don't be lazy write the netfilter chain/jump optimizer :)
Because such a thing does not exist, netfilter will not do what you want.



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-28 14:41         ` Mart Frauenlob
@ 2010-02-28 15:17           ` U. George
  0 siblings, 0 replies; 14+ messages in thread
From: U. George @ 2010-02-28 15:17 UTC (permalink / raw)
  To: netfilter



On 02/28/2010 09:41 AM, Mart Frauenlob wrote:
> which of the 2 jumps is to give precedence?
what 2 jumps. Iptable can execute 2 jumps at the same time?


^ permalink raw reply	[flat|nested] 14+ messages in thread

[parent not found: <4b8984a7.0ab6660a.24bd.1f7f@mx.google.com>]

* Re: multiport needs `-p tcp', `-p udp' - Why?
       [not found] <4b8984a7.0ab6660a.24bd.1f7f@mx.google.com>
@ 2010-02-27 21:14 ` U. George
  2010-02-28  4:46   ` ratheesh k
  0 siblings, 1 reply; 14+ messages in thread
From: U. George @ 2010-02-27 21:14 UTC (permalink / raw)
  To: richard.horton; +Cc: netfilter

It makes no diff to either udp or tcp - port address are at the same 
header offset. It does makes a difference if you want to test both in 
the rule. I only want to test ports with this rule.

On 02/27/2010 03:46 PM, richard.horton@solstans.co.uk wrote:
  And as each rule is distinct the line with multiport does not know you 
have already determined the protocol...
Ahhh, *But I know*. I designed the filter that way. If u want to *warn* 
me, then thats probably ok.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-27 21:14 ` U. George
@ 2010-02-28  4:46   ` ratheesh k
  2010-02-28  6:38     ` Mart Frauenlob
  0 siblings, 1 reply; 14+ messages in thread
From: ratheesh k @ 2010-02-28  4:46 UTC (permalink / raw)
  To: U. George; +Cc: netfilter

George ,

             for -p option , we can specify icmp ( layer 3 protocol )
or other layer 4 protocol other than UDP and TCP .

             I could be wrong . I am also a beginner .

Thanks,
Ratheesh.



On Sun, Feb 28, 2010 at 2:44 AM, U. George <netbeans@gatworks.com> wrote:
> It makes no diff to either udp or tcp - port address are at the same header
> offset. It does makes a difference if you want to test both in the rule. I
> only want to test ports with this rule.
>
> On 02/27/2010 03:46 PM, richard.horton@solstans.co.uk wrote:
>  And as each rule is distinct the line with multiport does not know you have
> already determined the protocol...
> Ahhh, *But I know*. I designed the filter that way. If u want to *warn* me,
> then thats probably ok.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: multiport needs `-p tcp', `-p udp' - Why?
  2010-02-28  4:46   ` ratheesh k
@ 2010-02-28  6:38     ` Mart Frauenlob
  0 siblings, 0 replies; 14+ messages in thread
From: Mart Frauenlob @ 2010-02-28  6:38 UTC (permalink / raw)
  To: netfilter

On 28.02.2010 05:47, netfilter-owner@vger.kernel.org wrote:
> George ,
> 
>              for -p option , we can specify icmp ( layer 3 protocol )
> or other layer 4 protocol other than UDP and TCP .
> 
>              I could be wrong . I am also a beginner .
> 
> Thanks,
> Ratheesh.
> 
> 
> 
> On Sun, Feb 28, 2010 at 2:44 AM, U. George <netbeans@gatworks.com> wrote:
>> It makes no diff to either udp or tcp - port address are at the same header
>> offset. It does makes a difference if you want to test both in the rule. I
>> only want to test ports with this rule.
>>
>> On 02/27/2010 03:46 PM, richard.horton@solstans.co.uk wrote:
>>  And as each rule is distinct the line with multiport does not know you have
>> already determined the protocol...
>> Ahhh, *But I know*. I designed the filter that way. If u want to *warn* me,
>> then thats probably ok.
>> --


Could you guys please stop top posting.

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2010-02-28 15:17 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-27 15:03 multiport needs `-p tcp', `-p udp' - Why? U. George
2010-02-27 15:06 ` ratheesh k
2010-02-27 16:17   ` U. George
2010-02-27 16:46     ` ratheesh k
2010-02-27 17:28       ` U. George
2010-02-27 17:18     ` Dennis J.
2010-02-28  6:54     ` Mart Frauenlob
2010-02-28 10:53       ` ratheesh k
2010-02-28 13:59       ` U. George
2010-02-28 14:41         ` Mart Frauenlob
2010-02-28 15:17           ` U. George
     [not found] <4b8984a7.0ab6660a.24bd.1f7f@mx.google.com>
2010-02-27 21:14 ` U. George
2010-02-28  4:46   ` ratheesh k
2010-02-28  6:38     ` Mart Frauenlob

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.