Possible iptables 4.4.11 issues

Possible iptables 4.4.11 issues

[Tom Eastep]

[-- Attachment #1: Type: text/plain, Size: 1429 bytes --]

One of the Shorewall Beta testers just installed iptables 1.4.11 and is
seeing a couple of anomalies. Before I run off and change Shorewall, I
would like to confirm that these are intentional changes in iptables
behavior and not bugs:

-------- Original Message --------
Subject: Re: [Shorewall-devel] Shorewall 4.4.20 Beta 5
Date: Sun, 29 May 2011 15:01:09 +0100
From: Steven Jan Springl <steven@springl.ukfsn.org>
Reply-To: shorewall-devel@lists.sourceforge.net
To: shorewall-devel@lists.sourceforge.net

Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35

The following rules file entry:

ACCEPT  $FW  lan  tcp  22  -  -  -  !root:root

produces the following iptables rule:

-A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner root -j
ACCEPT

Which works.

After upgrading iptables to 1.4.11 the following iptables-restore error
is produced:

iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted.


The following tcrules file entry:

IPMARK(dst,-1,-64)  $FW  eth1  tcp  888

produces the following iptables rule:

-A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
dst --and-mask -1 --or-mask -64 --shift 0

Which works.
After upgrading to iptables 1.4.11 the following iptables-restore error is
produced:

iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"

---------------------------------
Thanks,
-Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 258 bytes --]

Re: Possible iptables 4.4.11 issues

[Tom Eastep]

[-- Attachment #1: Type: text/plain, Size: 1089 bytes --]

On 5/29/11 7:33 AM, Tom Eastep wrote:
> One of the Shorewall Beta testers just installed iptables 1.4.11 and is
> seeing a couple of anomalies. Before I run off and change Shorewall, I
> would like to confirm that these are intentional changes in iptables
> behavior and not bugs:

...

> 
> IPMARK(dst,-1,-64)  $FW  eth1  tcp  888
> 
> produces the following iptables rule:
> 
> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
> dst --and-mask -1 --or-mask -64 --shift 0
> 
> Which works.
> After upgrading to iptables 1.4.11 the following iptables-restore error is
> produced:
> 
> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"

I apologize for responding to my own post, but this one looks like
inadequate edited by Shorewall. So this one is mine.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 258 bytes --]

Re: Possible iptables 4.4.11 issues

[Jan Engelhardt]

On Sunday 2011-05-29 16:33, Tom Eastep wrote:
>After upgrading iptables to 1.4.11 the following iptables-restore error
>is produced:
>
>iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted.

Bug, fix will be submitted.


>-A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
>dst --and-mask -1 --or-mask -64 --shift 0
>After upgrading to iptables 1.4.11 the following iptables-restore error is
>produced:
>
>iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"

This is intentional. Bitwise operations work best when fed unsigned numbers
only.

Re: Possible iptables 4.4.11 issues

[Tom Eastep]

[-- Attachment #1: Type: text/plain, Size: 1032 bytes --]

On 5/29/11 7:48 AM, Jan Engelhardt wrote:
> 
> On Sunday 2011-05-29 16:33, Tom Eastep wrote:
>> After upgrading iptables to 1.4.11 the following iptables-restore error
>> is produced:
>>
>> iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted.
> 
> Bug, fix will be submitted.
> 
> 
>> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
>> dst --and-mask -1 --or-mask -64 --shift 0
>> After upgrading to iptables 1.4.11 the following iptables-restore error is
>> produced:
>>
>> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"
> 
> This is intentional. Bitwise operations work best when fed unsigned numbers
> only.

Thanks, Jan -- I've sent Steven a Shorewall patch for this one.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 258 bytes --]

Re: Possible iptables 4.4.11 issues

[Pablo Neira Ayuso]

On 29/05/11 16:48, Jan Engelhardt wrote:
> 
> On Sunday 2011-05-29 16:33, Tom Eastep wrote:
>> After upgrading iptables to 1.4.11 the following iptables-restore error
>> is produced:
>>
>> iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted.
> 
> Bug, fix will be submitted.
> 
>> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
>> dst --and-mask -1 --or-mask -64 --shift 0
>> After upgrading to iptables 1.4.11 the following iptables-restore error is
>> produced:
>>
>> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"
> 
> This is intentional. Bitwise operations work best when fed unsigned numbers
> only.

but this used to work, we shouldn't break this sort of things Jan.

Re: Possible iptables 4.4.11 issues

[Maciej Żenczykowski]

>>> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
>>> dst --and-mask -1 --or-mask -64 --shift 0
>>> After upgrading to iptables 1.4.11 the following iptables-restore error is
>>> produced:
>>>
>>> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"
>>
>> This is intentional. Bitwise operations work best when fed unsigned numbers
>> only.
>
> but this used to work, we shouldn't break this sort of things Jan.

Assuming 2's complement arithmetic, an --and-mask of -1 should be a no-op
(since -1 is all 1's in binary)

However when reading --and-mask -1 my first gut instinct is that this
is --and-mask ~1 and is thus clears the least significant bit.
I also instinctively incorrectly assume --or-mask -64 sets all but bit
6, when it is actually setting all but the bottom 6 bits (ie. bits 0
through 5)...

To me this sort of lack of clarity is undesirable, and I can certainly
understand the desire to disable masks with negative integers.

-- Maciej

Re: Possible iptables 4.4.11 issues

[Pablo Neira Ayuso]

On 31/05/11 11:51, Maciej Żenczykowski wrote:
>>>> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr
>>>> dst --and-mask -1 --or-mask -64 --shift 0
>>>> After upgrading to iptables 1.4.11 the following iptables-restore error is
>>>> produced:
>>>>
>>>> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1"
>>>
>>> This is intentional. Bitwise operations work best when fed unsigned numbers
>>> only.
>>
>> but this used to work, we shouldn't break this sort of things Jan.
> 
> Assuming 2's complement arithmetic, an --and-mask of -1 should be a no-op
> (since -1 is all 1's in binary)
> 
> However when reading --and-mask -1 my first gut instinct is that this
> is --and-mask ~1 and is thus clears the least significant bit.
> I also instinctively incorrectly assume --or-mask -64 sets all but bit
> 6, when it is actually setting all but the bottom 6 bits (ie. bits 0
> through 5)...
> 
> To me this sort of lack of clarity is undesirable, and I can certainly
> understand the desire to disable masks with negative integers.

makes sense, thanks for the clarification.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html