From: Born Without <blackhole@airpost.net>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]
Date: Sat, 29 Dec 2012 09:08:52 +0100 [thread overview]
Message-ID: <50DEA514.4050006@airpost.net> (raw)
In-Reply-To: <50DBE9C9.8090500@airpost.net>
On 27.12.2012 07:25, Born Without wrote:
> Hello list!
>
>
> # $IPTABLES -N FOO
> # $IPTABLES -A FOO -p tcp --dport 445 -m osf --genre Windows --ttl 1
> --log 1
> # $IPTABLES -S FOO
> -N FOO
> -A FOO -p tcp -m tcp --dport 445 -m osf --genre Windows
>
> kernel: 3.2.35
> iptables: 1.4.16.3
>
>
> iptables -[L|S] and iptables-save seem to miss the --ttl and --log options.
> Therefore on restore, those settings get omitted.
> Looks like a bug to me!? If so, should I report it to some bug-tracker
> or so?
Yet another things with osf, that I noticed:
(installed vanilla 3.7.1 kernel to test)
Using this test ruleset to collect probes to my firewalls external
interface, which does not allow any NEW (ctstate) connection, then
divide by windows and non windows hosts:
$IPSET create other_probers hash:ip
$IPSET create windows_probers hash:ip
$IPTABLES -N PROBERS
$IPTABLES -A PROBERS -m set --match-set windows_probers src -j RETURN
$IPTABLES -A PROBERS -m set --match-set other_probers src -j RETURN
$IPTABLES -A PROBERS -p tcp -m osf --genre Windows --ttl 1 -j SET
--add-set windows_probers src
$IPTABLES -A PROBERS -p tcp -m osf --genre Windows --ttl 1 -j SET
--add-set windows_probers src
$IPTABLES -A PROBERS -p tcp -m osf ! --genre Windows --ttl 1 -j SET
--add-set other_probers src
$IPTABLES -I INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -j PROBERS
The result is, that the two rules with the '--genre' and the negated '!
--genre', always both match, though that should not be, of course.
The two sets always contain the same ip addresses.
So the negation is not working at all.
iptables -vS output:
-A PROBERS -m set --match-set windows_probers src -c 4 192 -j RETURN
-A PROBERS -m set --match-set other_probers src -c 0 0 -j RETURN
-A PROBERS -p tcp -m osf --genre Windows -c 4 192 -j SET --add-set
windows_probers src
-A PROBERS -p tcp -m osf --genre ! Windows -c 4 192 -j SET --add-set
other_probers src
The other thing is:
The man page says, it operates on SYN packets.
When I reduce the match using '-m tcp --syn', nothing gets matched by
osf anymore.
Best regards
next prev parent reply other threads:[~2012-12-29 8:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-27 6:25 osf match, --ttl & --log options missing in iptables[-save] [-[L|S]] Born Without
2012-12-27 18:19 ` Born Without
2012-12-27 23:19 ` Neal Murphy
2012-12-28 2:38 ` Born Without
2012-12-29 8:08 ` Born Without [this message]
2012-12-29 8:12 ` Born Without
2012-12-31 7:06 ` Born Without
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50DEA514.4050006@airpost.net \
--to=blackhole@airpost.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).