bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-11 07:36 UTC
[Bug 446] New: parse_protocol lookup ordering issue
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=446
Summary: parse_protocol lookup ordering issue
Product: iptables
Version: CVS (please indicate timestamp)
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: iptables
AssignedTo: laforge@netfilter.org
ReportedBy: davidhi@cc.gatech.edu
Recently I migrated a set of systems to using LDAP for NSS and I noticed that
afterward the iptables script that was on each system (one I had not written)
took on the order of minutes to add each rule. After stracing iptables, I found
it was trying to do LDAP lookups (but failing because the default rules were
DROP and LDAP wouldn't be opened until it got relatively far into the
script).
I couldn't understand why this was happening, until I noticed that it was
looking in /etc/protocols and not finding what it was looking for.
After reading the code in the current repository, I noticed that parse_protocol
calls getprotobyname before it looks in the internal table, chain_protos. It
was causing problems with '-p all' since 'all' is not likely to
be in the
/etc/protocols file causing NSS to fall through from files to ldap. Only after
the ldap request had timed out did it use its own local table to process
'all.'
I'm not sure if this has been discussed before, so forgive me if this has
already been considered. I realize looking in /etc/protocols first is probably
the desired behavior in certain cases, but this seems counterintuitive for the
wildcard 'all.' Although I haven't tested it, it would also seem to
allow
someone to redefine 'all' in /etc/protocols. Perhaps 'all'
should be removed or
the lookup order changed because it has the potential to really slow down the
process of adding a series of rules the way it works now. Thanks.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-11 07:36 UTC
[Bug 446] New: parse_protocol lookup ordering issue
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=446
Summary: parse_protocol lookup ordering issue
Product: iptables
Version: CVS (please indicate timestamp)
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P2
Component: iptables
AssignedTo: laforge@netfilter.org
ReportedBy: davidhi@cc.gatech.edu
Recently I migrated a set of systems to using LDAP for NSS and I noticed that
afterward the iptables script that was on each system (one I had not written)
took on the order of minutes to add each rule. After stracing iptables, I found
it was trying to do LDAP lookups (but failing because the default rules were
DROP and LDAP wouldn't be opened until it got relatively far into the
script).
I couldn't understand why this was happening, until I noticed that it was
looking in /etc/protocols and not finding what it was looking for.
After reading the code in the current repository, I noticed that parse_protocol
calls getprotobyname before it looks in the internal table, chain_protos. It
was causing problems with '-p all' since 'all' is not likely to
be in the
/etc/protocols file causing NSS to fall through from files to ldap. Only after
the ldap request had timed out did it use its own local table to process
'all.'
I'm not sure if this has been discussed before, so forgive me if this has
already been considered. I realize looking in /etc/protocols first is probably
the desired behavior in certain cases, but this seems counterintuitive for the
wildcard 'all.' Although I haven't tested it, it would also seem to
allow
someone to redefine 'all' in /etc/protocols. Perhaps 'all'
should be removed or
the lookup order changed because it has the potential to really slow down the
process of adding a series of rules the way it works now. Thanks.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.