* osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]
@ 2012-12-27 6:25 Born Without
2012-12-27 18:19 ` Born Without
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Born Without @ 2012-12-27 6:25 UTC (permalink / raw)
To: netfilter@vger.kernel.org
Hello list!
# $IPTABLES -N FOO
# $IPTABLES -A FOO -p tcp --dport 445 -m osf --genre Windows --ttl 1 --log 1
# $IPTABLES -S FOO
-N FOO
-A FOO -p tcp -m tcp --dport 445 -m osf --genre Windows
kernel: 3.2.35
iptables: 1.4.16.3
iptables -[L|S] and iptables-save seem to miss the --ttl and --log options.
Therefore on restore, those settings get omitted.
Looks like a bug to me!? If so, should I report it to some bug-tracker
or so?
Best regards
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]
2012-12-27 6:25 osf match, --ttl & --log options missing in iptables[-save] [-[L|S]] Born Without
@ 2012-12-27 18:19 ` Born Without
2012-12-27 23:19 ` Neal Murphy
2012-12-29 8:08 ` Born Without
2012-12-31 7:06 ` Born Without
2 siblings, 1 reply; 7+ messages in thread
From: Born Without @ 2012-12-27 18:19 UTC (permalink / raw)
To: netfilter@vger.kernel.org
On 27.12.2012 07:25, Born Without wrote:
> Hello list!
>
>
> # $IPTABLES -N FOO
> # $IPTABLES -A FOO -p tcp --dport 445 -m osf --genre Windows --ttl 1
> --log 1
> # $IPTABLES -S FOO
> -N FOO
> -A FOO -p tcp -m tcp --dport 445 -m osf --genre Windows
>
> kernel: 3.2.35
> iptables: 1.4.16.3
>
>
> iptables -[L|S] and iptables-save seem to miss the --ttl and --log options.
> Therefore on restore, those settings get omitted.
> Looks like a bug to me!? If so, should I report it to some bug-tracker
> or so?
>
Another thing I noticed is, that if negation (!) is used on the --genre
option, iptables -S or iptables-save position the negation wrong i.e:
-A PROBERS -p tcp -m osf --genre ! Windows -j SET --add-set
other_probers src
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]
2012-12-27 18:19 ` Born Without
@ 2012-12-27 23:19 ` Neal Murphy
2012-12-28 2:38 ` Born Without
0 siblings, 1 reply; 7+ messages in thread
From: Neal Murphy @ 2012-12-27 23:19 UTC (permalink / raw)
To: netfilter
On Thursday, December 27, 2012 01:19:38 PM you wrote:
> Another thing I noticed is, that if negation (!) is used on the --genre
> option, iptables -S or iptables-save position the negation wrong i.e:
>
> -A PROBERS -p tcp -m osf --genre ! Windows -j SET \
> --add-set other_probers src
Is this 'infix' notation (--genre ! Windows) invalid already? Or is it just
deprecated?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]
2012-12-27 23:19 ` Neal Murphy
@ 2012-12-28 2:38 ` Born Without
0 siblings, 0 replies; 7+ messages in thread
From: Born Without @ 2012-12-28 2:38 UTC (permalink / raw)
To: neal.p.murphy; +Cc: netfilter
On 28.12.2012 00:19, Neal Murphy wrote:
> On Thursday, December 27, 2012 01:19:38 PM you wrote:
>
>> Another thing I noticed is, that if negation (!) is used on the --genre
>> option, iptables -S or iptables-save position the negation wrong i.e:
>>
>> -A PROBERS -p tcp -m osf --genre ! Windows -j SET \
> > --add-set other_probers src
>
> Is this 'infix' notation (--genre ! Windows) invalid already? Or is it just
> deprecated?
Produces an error applying it. So in the version I use, seems like.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]
2012-12-27 6:25 osf match, --ttl & --log options missing in iptables[-save] [-[L|S]] Born Without
2012-12-27 18:19 ` Born Without
@ 2012-12-29 8:08 ` Born Without
2012-12-29 8:12 ` Born Without
2012-12-31 7:06 ` Born Without
2 siblings, 1 reply; 7+ messages in thread
From: Born Without @ 2012-12-29 8:08 UTC (permalink / raw)
To: netfilter@vger.kernel.org
On 27.12.2012 07:25, Born Without wrote:
> Hello list!
>
>
> # $IPTABLES -N FOO
> # $IPTABLES -A FOO -p tcp --dport 445 -m osf --genre Windows --ttl 1
> --log 1
> # $IPTABLES -S FOO
> -N FOO
> -A FOO -p tcp -m tcp --dport 445 -m osf --genre Windows
>
> kernel: 3.2.35
> iptables: 1.4.16.3
>
>
> iptables -[L|S] and iptables-save seem to miss the --ttl and --log options.
> Therefore on restore, those settings get omitted.
> Looks like a bug to me!? If so, should I report it to some bug-tracker
> or so?
Yet another things with osf, that I noticed:
(installed vanilla 3.7.1 kernel to test)
Using this test ruleset to collect probes to my firewalls external
interface, which does not allow any NEW (ctstate) connection, then
divide by windows and non windows hosts:
$IPSET create other_probers hash:ip
$IPSET create windows_probers hash:ip
$IPTABLES -N PROBERS
$IPTABLES -A PROBERS -m set --match-set windows_probers src -j RETURN
$IPTABLES -A PROBERS -m set --match-set other_probers src -j RETURN
$IPTABLES -A PROBERS -p tcp -m osf --genre Windows --ttl 1 -j SET
--add-set windows_probers src
$IPTABLES -A PROBERS -p tcp -m osf --genre Windows --ttl 1 -j SET
--add-set windows_probers src
$IPTABLES -A PROBERS -p tcp -m osf ! --genre Windows --ttl 1 -j SET
--add-set other_probers src
$IPTABLES -I INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -j PROBERS
The result is, that the two rules with the '--genre' and the negated '!
--genre', always both match, though that should not be, of course.
The two sets always contain the same ip addresses.
So the negation is not working at all.
iptables -vS output:
-A PROBERS -m set --match-set windows_probers src -c 4 192 -j RETURN
-A PROBERS -m set --match-set other_probers src -c 0 0 -j RETURN
-A PROBERS -p tcp -m osf --genre Windows -c 4 192 -j SET --add-set
windows_probers src
-A PROBERS -p tcp -m osf --genre ! Windows -c 4 192 -j SET --add-set
other_probers src
The other thing is:
The man page says, it operates on SYN packets.
When I reduce the match using '-m tcp --syn', nothing gets matched by
osf anymore.
Best regards
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]
2012-12-27 6:25 osf match, --ttl & --log options missing in iptables[-save] [-[L|S]] Born Without
2012-12-27 18:19 ` Born Without
2012-12-29 8:08 ` Born Without
@ 2012-12-31 7:06 ` Born Without
2 siblings, 0 replies; 7+ messages in thread
From: Born Without @ 2012-12-31 7:06 UTC (permalink / raw)
To: netfilter@vger.kernel.org
On 27.12.2012 07:25, Born Without wrote:
[...]
another oddity with osf:
if you try to restore a rulset using osf with iptables-restore, it will
fail on the very last COMMIT without giving any clue what the error is,
if the signatures were not loaded before with nfnl_osf.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2012-12-31 7:06 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-27 6:25 osf match, --ttl & --log options missing in iptables[-save] [-[L|S]] Born Without
2012-12-27 18:19 ` Born Without
2012-12-27 23:19 ` Neal Murphy
2012-12-28 2:38 ` Born Without
2012-12-29 8:08 ` Born Without
2012-12-29 8:12 ` Born Without
2012-12-31 7:06 ` Born Without
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).