* invert problem with multiport
@ 2002-06-18 15:50 Christoph Gossen
2002-06-18 16:18 ` Antony Stone
2002-06-18 22:18 ` Stewart Thompson
0 siblings, 2 replies; 4+ messages in thread
From: Christoph Gossen @ 2002-06-18 15:50 UTC (permalink / raw)
To: netfilter
Hello,
I think there's a bug in the behaviour of the multiport module - for
example, a line like
iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP
causes the same behaviour as
iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP
or
iptables -p tcp -A OUTPUT --dport 25 -j DROP
and NOT (as one would expect) that one caused by
iptables -p tcp -A OUTPUT ! --dport 25 -j DROP
Inverting the (set of) port(s) due to the "!" sign in the first line
above is just ignored
(no syntax error occures)!
Any comments?
Thanks,
Christoph
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: invert problem with multiport
2002-06-18 15:50 invert problem with multiport Christoph Gossen
@ 2002-06-18 16:18 ` Antony Stone
2002-06-19 8:12 ` Christoph Gossen
2002-06-18 22:18 ` Stewart Thompson
1 sibling, 1 reply; 4+ messages in thread
From: Antony Stone @ 2002-06-18 16:18 UTC (permalink / raw)
To: netfilter
On Tuesday 18 June 2002 4:50 pm, Christoph Gossen wrote:
> Hello,
>
> I think there's a bug in the behaviour of the multiport module - for
> example, a line like
>
> iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP
>
> causes the same behaviour as
>
> iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP
>
> or
>
> iptables -p tcp -A OUTPUT --dport 25 -j DROP
>
> and NOT (as one would expect) that one caused by
>
> iptables -p tcp -A OUTPUT ! --dport 25 -j DROP
>
> Inverting the (set of) port(s) due to the "!" sign in the first line
> above is just ignored
> (no syntax error occures)!
>
> Any comments?
I don't use the multiport match myself, but I'd expect it to be:
iptables -p tcp -A OUTPUT -m multiport --dport ! 25 -j DROP
In other words "a destination port which isn't 25"....
What does that do for you ?
I note from the man page for iptables, though, that --dport has the [ ! ]
option, but "multiport --dport" doesn't, so maybe negating multiports is not
supported at all ?
If you enter all the above rules, what do you get from
iptables -L OUTPUT -v -n ?
Antony.
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: invert problem with multiport
2002-06-18 15:50 invert problem with multiport Christoph Gossen
2002-06-18 16:18 ` Antony Stone
@ 2002-06-18 22:18 ` Stewart Thompson
1 sibling, 0 replies; 4+ messages in thread
From: Stewart Thompson @ 2002-06-18 22:18 UTC (permalink / raw)
To: Christoph Gossen, netfilter
Hi Christoph:
I am still running iptables 1.24. However, in that version I
don't think it supported the ! negation on multiport. Later versions
may have added that capability. Perhaps one of the members of
the list has a more definitive answer.
Stu...............
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Christoph Gossen
Sent: June 18, 2002 8:50 AM
To: netfilter@lists.samba.org
Subject: invert problem with multiport
Hello,
I think there's a bug in the behaviour of the multiport module - for
example, a line like
iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP
causes the same behaviour as
iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP
or
iptables -p tcp -A OUTPUT --dport 25 -j DROP
and NOT (as one would expect) that one caused by
iptables -p tcp -A OUTPUT ! --dport 25 -j DROP
Inverting the (set of) port(s) due to the "!" sign in the first line
above is just ignored
(no syntax error occures)!
Any comments?
Thanks,
Christoph
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: invert problem with multiport
2002-06-18 16:18 ` Antony Stone
@ 2002-06-19 8:12 ` Christoph Gossen
0 siblings, 0 replies; 4+ messages in thread
From: Christoph Gossen @ 2002-06-19 8:12 UTC (permalink / raw)
To: netfilter
Antony Stone wrote:
>
> On Tuesday 18 June 2002 4:50 pm, Christoph Gossen wrote:
>
> > Hello,
> >
> > I think there's a bug in the behaviour of the multiport module - for
> > example, a line like
> >
> > iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP
> >
> > causes the same behaviour as
> >
> > iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP
> >
> > or
> >
> > iptables -p tcp -A OUTPUT --dport 25 -j DROP
> >
> > and NOT (as one would expect) that one caused by
> >
> > iptables -p tcp -A OUTPUT ! --dport 25 -j DROP
> >
> > Inverting the (set of) port(s) due to the "!" sign in the first line
> > above is just ignored
> > (no syntax error occures)!
> >
> > Any comments?
>
> I don't use the multiport match myself, but I'd expect it to be:
>
> iptables -p tcp -A OUTPUT -m multiport --dport ! 25 -j DROP
I have already tried this - it causes a syntax error "invalid
port/service `!' specified"
(everything ok with this, to me).
>
> In other words "a destination port which isn't 25"....
>
> What does that do for you ?
>
> I note from the man page for iptables, though, that --dport has the [ ! ]
> option, but "multiport --dport" doesn't, so maybe negating multiports is not
> supported at all ?
This is what I assume, too. However, the "!" should not be silently
ignored then
but rather a syntax error should arise (to avoid confusion, or even a
potential
source of error).
Hervé Eychenne wrote:
...
> multiport option is "--dports", not "--dport"...
>
> RV
This is not quite right, as one can abbreviate down to even "--dp" (I
guess THIS
is really a intended feature and not a bug).
I forgot to mention the iptables version I tried: It was version 1.2.2
and 1.2.6a.
Greetings,
Christoph
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-06-19 8:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-18 15:50 invert problem with multiport Christoph Gossen
2002-06-18 16:18 ` Antony Stone
2002-06-19 8:12 ` Christoph Gossen
2002-06-18 22:18 ` Stewart Thompson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox