Possible iptables 4.4.11 issues

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tom Eastep <teastep@shorewall.net>
To: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Cc: Steven Jan Springl <steven@springl.ukfsn.org>
Subject: Possible iptables 4.4.11 issues
Date: Sun, 29 May 2011 07:33:34 -0700	[thread overview]
Message-ID: <4DE2593E.7000208@shorewall.net> (raw)

[-- Attachment #1: Type: text/plain, Size: 1429 bytes --]

One of the Shorewall Beta testers just installed iptables 1.4.11 and is
seeing a couple of anomalies. Before I run off and change Shorewall, I
would like to confirm that these are intentional changes in iptables
behavior and not bugs:

-------- Original Message --------
Subject: Re: [Shorewall-devel] Shorewall 4.4.20 Beta 5
Date: Sun, 29 May 2011 15:01:09 +0100
From: Steven Jan Springl <steven@springl.ukfsn.org>
Reply-To: shorewall-devel@lists.sourceforge.net
To: shorewall-devel@lists.sourceforge.net

Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35

The following rules file entry:

ACCEPT  $FW  lan  tcp  22  -  -  -  !root:root

produces the following iptables rule:

-A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner root -j
ACCEPT

Which works.

After upgrading iptables to 1.4.11 the following iptables-restore error
is produced:

iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted.

The following tcrules file entry:

IPMARK(dst,-1,-64)  $FW  eth1  tcp  888

produces the following iptables rule:

-A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
dst --and-mask -1 --or-mask -64 --shift 0

Which works.
After upgrading to iptables 1.4.11 the following iptables-restore error is
produced:

iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"

---------------------------------
Thanks,
-Tom

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 258 bytes --]

next             reply	other threads:[~2011-05-29 14:40 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-05-29 14:33 Tom Eastep [this message]
2011-05-29 14:43 ` Possible iptables 4.4.11 issues Tom Eastep
2011-05-29 14:48 ` Jan Engelhardt
2011-05-29 14:52   ` Tom Eastep
2011-05-31  9:42   ` Pablo Neira Ayuso
2011-05-31  9:51     ` Maciej Żenczykowski
2011-05-31  9:53       ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4DE2593E.7000208@shorewall.net \
    --to=teastep@shorewall.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=steven@springl.ukfsn.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.