From: Chris Brenton <cbrenton@chrisbrenton.org>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: the impossible "iptables -C" option
Date: Sat, 24 Jul 2004 06:16:40 -0400 [thread overview]
Message-ID: <1090664200.2012.21.camel@grendel> (raw)
In-Reply-To: <200407240856.03201.Antony@Soft-Solutions.co.uk>
On Sat, 2004-07-24 at 03:56, Antony Stone wrote:
>
> I understand it to mean "check what would happen to a packet of this type if
> it went through the ruleset"
Yup, that's what it did under ipchains. :)
> > What is "packet payload"? How does it make the "--check" option impossible
> > to be implemented?
>
> It makes it impossible to implement --check because there's no way to provide
> the payload on the command line.
Not quite true as you would just use a sting match, same as you would in
a filtering rule.
The problem is a majority of the time check would end up reporting "it
depends". For example what if you try and check what would happen to "a
packet coming from the Internet to an internal system from 22/TCP to an
upper port number, with the ACK flag set and "foo" in the payload. You
may not have a rule that specifically lets this traffic through, but it
might actually pass if it ends up being a state match due to an initial
outbound SYN packets. So how iptables would handle this packet "depends"
on what traffic went by prior to it.
The check option has said it would be implemented "real soon now" since
iptables was alpha code. I'm guessing the option will never happen. Its
just a carry over from ipchains. ;-)
HTH,
C
next prev parent reply other threads:[~2004-07-24 10:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-23 23:24 the impossible "iptables -C" option Bruno Negrão
2004-07-24 7:56 ` Antony Stone
2004-07-24 8:36 ` Re[2]: " mortar
2004-07-24 10:16 ` Chris Brenton [this message]
2004-07-24 10:27 ` Antony Stone
2004-07-24 11:45 ` Chris Brenton
2004-07-24 18:46 ` Les Mikesell
2004-07-24 20:13 ` Antony Stone
2004-07-25 17:50 ` Les Mikesell
2004-07-25 18:08 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1090664200.2012.21.camel@grendel \
--to=cbrenton@chrisbrenton.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox