bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 15:26 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 kernel at linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kernel at linuxace.com Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #1 from kernel at linuxace.com 2008-11-25 16:26 -------> # BUG: if "-p tcp" is left out or if instead "-p all" is used then the rulegets eliminated!> /sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST--set -j DROP Yes, because that is an invalid rule without "-p tcp", since you are including "--dport 139". Please ask your question about this on the netfilter user mailing list, as there is nothing wrong with iptables here, only your rules. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. You reported the bug, or are watching the reporter.
bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 18:13 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 for-openvz at alicewho.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Comment #2 from for-openvz at alicewho.com 2008-11-25 19:13 ------- (In reply to comment #1)> > # BUG: if "-p tcp" is left out or if instead "-p all" is used then the rule > gets eliminated! > > /sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST > --set -j DROP > > Yes, because that is an invalid rule without "-p tcp", since you are including > "--dport 139". > > Please ask your question about this on the netfilter user mailing list, as > there is nothing wrong with iptables here, only your rules.Hmm. I think you you got me wrong. It is a general issue, port 139 above was just a bad example. Let's replace it with say port 8191. The goal is to DROP all connect attempts to port 8191 AND put such clients to the WATCHLIST AND deny them any further contact for 20 seconds: ... # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new connect attempts then DROP them! /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20 -j DROP # if anybody tries to connect to port 8191, then drop them and add them to the WATCHLIST # BUG: if "-p XXX" is left out or if instead "-p all" is used then the rule gets eliminated! /sbin/iptables -A INPUT --dport 8191 --match recent --name WATCHLIST --set -j DROP ... The above isn't working. The last rule is missing in the output list. If one specifies a protocol (for example "-p tcp") then it works, but that's not the intention here because the rule shall be valid all protocols on this port 8191. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 18:49 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 kernel at linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID ------- Comment #3 from kernel at linuxace.com 2008-11-25 19:49 ------- This does not work:> /sbin/iptables -A INPUT --dport 8191 --match recent --name WATCHLIST --set -jDROP because IT IS NOT A VALID RULE!!! You CANNOT have a rule which includes a "--dport" without ALSO specifying a protocol. Please read the iptables documentation on this, and do not reopen this bug. It is NOT a bug in the code, but a bug in your understanding of how to create rules. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. You reported the bug, or are watching the reporter.
bugzilla-daemon at bugzilla.netfilter.org
2008-Nov-25 19:31 UTC
[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
http://bugzilla.netfilter.org/show_bug.cgi?id=562 for-openvz at alicewho.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Comment #4 from for-openvz at alicewho.com 2008-11-25 20:31 ------- (In reply to comment #3)> This does not work: > > > /sbin/iptables -A INPUT --dport 8191 --match recent --name WATCHLIST --set -j > DROP > > because IT IS NOT A VALID RULE!!! You CANNOT have a rule which includes a > "--dport" without ALSO specifying a protocol. > > Please read the iptables documentation on this, and do not reopen this bug. It > is NOT a bug in the code, but a bug in your understanding of how to create > rules.Sorry, to say that, but you are talking bullshit, giving a cheap excuse. Here's another variation of the bug. Here "-p all" was specified. The result is: IT DOES NOT WORK! /sbin/iptables -A INPUT -p all --dport 8191 --match recent --name WATCHLIST --set -j DROP Ok, forget it you arrogant idiot! Maybe someone more intelligent than you will fix this bug. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
Seemingly Similar Threads
- [Bug 562] New: Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug
- [Bug 526] REDIRECT --to 3128 Doesn't redirect correctly
- [Bug 490] ROUTE extension module unusable since 2.6.16
- Samba Wiki change suggestion
- Iptables rules and internet access problems