From: Christoph Gossen <gosen@conterra.de>
To: netfilter@lists.samba.org
Subject: Re: invert problem with multiport
Date: Wed, 19 Jun 2002 10:12:39 +0200 [thread overview]
Message-ID: <3D103CF7.915F759F@conterra.de> (raw)
In-Reply-To: 200206181618.RAA27678@slate.rockstone.co.uk
Antony Stone wrote:
>
> On Tuesday 18 June 2002 4:50 pm, Christoph Gossen wrote:
>
> > Hello,
> >
> > I think there's a bug in the behaviour of the multiport module - for
> > example, a line like
> >
> > iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP
> >
> > causes the same behaviour as
> >
> > iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP
> >
> > or
> >
> > iptables -p tcp -A OUTPUT --dport 25 -j DROP
> >
> > and NOT (as one would expect) that one caused by
> >
> > iptables -p tcp -A OUTPUT ! --dport 25 -j DROP
> >
> > Inverting the (set of) port(s) due to the "!" sign in the first line
> > above is just ignored
> > (no syntax error occures)!
> >
> > Any comments?
>
> I don't use the multiport match myself, but I'd expect it to be:
>
> iptables -p tcp -A OUTPUT -m multiport --dport ! 25 -j DROP
I have already tried this - it causes a syntax error "invalid
port/service `!' specified"
(everything ok with this, to me).
>
> In other words "a destination port which isn't 25"....
>
> What does that do for you ?
>
> I note from the man page for iptables, though, that --dport has the [ ! ]
> option, but "multiport --dport" doesn't, so maybe negating multiports is not
> supported at all ?
This is what I assume, too. However, the "!" should not be silently
ignored then
but rather a syntax error should arise (to avoid confusion, or even a
potential
source of error).
Hervé Eychenne wrote:
...
> multiport option is "--dports", not "--dport"...
>
> RV
This is not quite right, as one can abbreviate down to even "--dp" (I
guess THIS
is really a intended feature and not a bug).
I forgot to mention the iptables version I tried: It was version 1.2.2
and 1.2.6a.
Greetings,
Christoph
next prev parent reply other threads:[~2002-06-19 8:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-18 15:50 invert problem with multiport Christoph Gossen
2002-06-18 16:18 ` Antony Stone
2002-06-19 8:12 ` Christoph Gossen [this message]
2002-06-18 22:18 ` Stewart Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D103CF7.915F759F@conterra.de \
--to=gosen@conterra.de \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox