* intrapositioned and extrapositioned negation
@ 2009-10-20 10:59 Mart Frauenlob
2009-10-29 9:04 ` Mart Frauenlob
0 siblings, 1 reply; 4+ messages in thread
From: Mart Frauenlob @ 2009-10-20 10:59 UTC (permalink / raw)
To: netfilter
Hello,
today I installed iptables 1.4.5 and discovered my ruleset produces
those warnings about intrapositioned negation:
Using intrapositioned negation (`--option ! this`) is deprecated in
favor of extrapositioned (`! --option this`).
I haven't completely looked up the changelogs, but from what I've found
on the internet, this was introduced with 1.4.3.1, right?
However, my ruleset is automatically generated by a self written shell
script, which I now need to change.
It needs to work with any 2.6 kernel and with 2.4 kernels supporting
iptables.
As my testing options (hardware, time) are limited, I'm asking if
someone knows:
Will 2.4 kernels and older iptables versions accept the extrapositioned
(`! --option this`) notation?
If so, I can rewrite my script to always use extrapositioned syntax.
Lot's of work, but ok...
If not, what kernel / iptables versions do only understand the old
deprecated way?
So I can query for them and take the appropriate steps.
Thanks a lot!
Mart
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: intrapositioned and extrapositioned negation
2009-10-20 10:59 Mart Frauenlob
@ 2009-10-29 9:04 ` Mart Frauenlob
2009-10-30 9:56 ` Patrick McHardy
0 siblings, 1 reply; 4+ messages in thread
From: Mart Frauenlob @ 2009-10-29 9:04 UTC (permalink / raw)
To: netfilter
Mart Frauenlob wrote:
> Hello,
>
> today I installed iptables 1.4.5 and discovered my ruleset produces
> those warnings about intrapositioned negation:
> Using intrapositioned negation (`--option ! this`) is deprecated in
> favor of extrapositioned (`! --option this`).
>
> I haven't completely looked up the changelogs, but from what I've
> found on the internet, this was introduced with 1.4.3.1, right?
>
> However, my ruleset is automatically generated by a self written shell
> script, which I now need to change.
> It needs to work with any 2.6 kernel and with 2.4 kernels supporting
> iptables.
> As my testing options (hardware, time) are limited, I'm asking if
> someone knows:
>
> Will 2.4 kernels and older iptables versions accept the
> extrapositioned (`! --option this`) notation?
> If so, I can rewrite my script to always use extrapositioned syntax.
> Lot's of work, but ok...
>
> If not, what kernel / iptables versions do only understand the old
> deprecated way?
> So I can query for them and take the appropriate steps.
>
> Thanks a lot!
Nobody knows?
Well, I've found some old virtual machines, tested it with debian woody
and sarge, using kernel 2.4.18.bf2-4 and 2.6.18 and extrapositioned
negation does not seem to cause problems.
Am I right to assume, that all 2.4 kernels with iptables support - DON'T
have troubles using extrapositioned negation???
Regards
Mart
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: intrapositioned and extrapositioned negation
2009-10-29 9:04 ` Mart Frauenlob
@ 2009-10-30 9:56 ` Patrick McHardy
0 siblings, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2009-10-30 9:56 UTC (permalink / raw)
To: netfilter
Mart Frauenlob wrote:
> Mart Frauenlob wrote:
>> Hello,
>>
>> today I installed iptables 1.4.5 and discovered my ruleset produces
>> those warnings about intrapositioned negation:
>> Using intrapositioned negation (`--option ! this`) is deprecated in
>> favor of extrapositioned (`! --option this`).
>>
>> I haven't completely looked up the changelogs, but from what I've
>> found on the internet, this was introduced with 1.4.3.1, right?
>>
>> However, my ruleset is automatically generated by a self written shell
>> script, which I now need to change.
>> It needs to work with any 2.6 kernel and with 2.4 kernels supporting
>> iptables.
>> As my testing options (hardware, time) are limited, I'm asking if
>> someone knows:
>>
>> Will 2.4 kernels and older iptables versions accept the
>> extrapositioned (`! --option this`) notation?
>> If so, I can rewrite my script to always use extrapositioned syntax.
>> Lot's of work, but ok...
>>
>> If not, what kernel / iptables versions do only understand the old
>> deprecated way?
>> So I can query for them and take the appropriate steps.
>>
>> Thanks a lot!
>
>
> Nobody knows?
> Well, I've found some old virtual machines, tested it with debian woody
> and sarge, using kernel 2.4.18.bf2-4 and 2.6.18 and extrapositioned
> negation does not seem to cause problems.
> Am I right to assume, that all 2.4 kernels with iptables support - DON'T
> have troubles using extrapositioned negation???
The kernel doesn't care about how you specify negation, its purely
a userspace thing. So yes, it should work properly on any kernel
version.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: intrapositioned and extrapositioned negation
@ 2009-10-30 14:48 Mart Frauenlob
0 siblings, 0 replies; 4+ messages in thread
From: Mart Frauenlob @ 2009-10-30 14:48 UTC (permalink / raw)
To: netfilter
netfilter-owner@vger.kernel.org wrote:
> Mart Frauenlob wrote:
>
>> Mart Frauenlob wrote:
>>
>>> Hello,
>>>
>>> today I installed iptables 1.4.5 and discovered my ruleset produces
>>> those warnings about intrapositioned negation:
>>> Using intrapositioned negation (`--option ! this`) is deprecated in
>>> favor of extrapositioned (`! --option this`).
>>>
>>> I haven't completely looked up the changelogs, but from what I've
>>> found on the internet, this was introduced with 1.4.3.1, right?
>>>
>>> However, my ruleset is automatically generated by a self written shell
>>> script, which I now need to change.
>>> It needs to work with any 2.6 kernel and with 2.4 kernels supporting
>>> iptables.
>>> As my testing options (hardware, time) are limited, I'm asking if
>>> someone knows:
>>>
>>> Will 2.4 kernels and older iptables versions accept the
>>> extrapositioned (`! --option this`) notation?
>>> If so, I can rewrite my script to always use extrapositioned syntax.
>>> Lot's of work, but ok...
>>>
>>> If not, what kernel / iptables versions do only understand the old
>>> deprecated way?
>>> So I can query for them and take the appropriate steps.
>>>
>>> Thanks a lot!
>>>
>> Nobody knows?
>> Well, I've found some old virtual machines, tested it with debian woody
>> and sarge, using kernel 2.4.18.bf2-4 and 2.6.18 and extrapositioned
>> negation does not seem to cause problems.
>> Am I right to assume, that all 2.4 kernels with iptables support - DON'T
>> have troubles using extrapositioned negation???
>>
>
> The kernel doesn't care about how you specify negation, its purely
> a userspace thing. So yes, it should work properly on any kernel
> version.
>
Hello netfilter-owner@vger.kernel.org :)
thanks for pointing that out.
In my second post I forgot to ask about the compatible iptables version.
The lowest version I tested on debian woody is: 1.2.6a.
Rephrased, do I have to expect problems using extrapositioned negation
on older iptables versions?
Sidenote to the devels ;-P :
The man page has documented intrapositioned negation for years, this is
the only note in the changelog for 1.4.3.2:
> iptables: print negation extrapositioned
>
It's like with the DROP in the nat table, a short note in the change
log, and the whole world has to find out what's going on, and change
their programs/scripts.
Imho, changes like those should be worth a few explaining sentences.
Thanks and regards
Mart
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-10-30 14:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-30 14:48 intrapositioned and extrapositioned negation Mart Frauenlob
-- strict thread matches above, loose matches on Subject: below --
2009-10-20 10:59 Mart Frauenlob
2009-10-29 9:04 ` Mart Frauenlob
2009-10-30 9:56 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).