bugzilla-daemon at netfilter.org
2013-Nov-23 12:48 UTC
[Bug 875] New: iptables -m conntrack --ctstatus NONE, EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED
https://bugzilla.netfilter.org/show_bug.cgi?id=875 Summary: iptables -m conntrack --ctstatus NONE,EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED Product: iptables Version: 1.4.x Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: quentin at armitage.org.uk Estimated Hours: 0.0 Created attachment 428 --> https://bugzilla.netfilter.org/attachment.cgi?id=428 Patch for iptables to allow NONE to work with other statuses If --ctstatus SEEN_REPLY,EXPECTED is specified, it matches on either SEEN_REPLY or EXPECTED. On the other hand, if --ctstatus NONE,EXPECTED is specified, it only matches on EXPECTED, and doesn't match on NONE; but to be consistent, --ctstatus NONE,EXPECTED should match on either NONE or EXPECTED. This is demonstrated by entering the following: iptables -I CHAIN 1 -m conntrack --ctstatus NONE,EXPECTED -j LOG iptables -nvL CHAIN 1 where it can be seen that the NONE has been 'lost'. I think there are three possible solutions to this: i) Drop NONE altogether, ! --ctstatus EXPECTED,ASSURED,SEEN_REPLY,CONFIRMED does the same as --ctstatus NONE ii) Don't allow NONE to be specified with any of the other statuses. iii) Make NONE be treated in the same say as the other statuses for status comparison. i) would break existing configurations. ii) might also break existing configurations (but not any restored with iptables-restore). The advantages of i) and ii) is that they are simple. Although ii) would make some configurations loaded from scripts fail, the configurations wouldn't have worked as intended since the NONE would have been silently ignored. iii) gives the greatest flexibility, but also requires a small patch to the kernel. The attached patches implement option iii). -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Nov-23 12:49 UTC
[Bug 875] iptables -m conntrack --ctstatus NONE,EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED
https://bugzilla.netfilter.org/show_bug.cgi?id=875 --- Comment #1 from Quentin Armitage <quentin at armitage.org.uk> 2013-11-23 13:49:29 CET --- Created attachment 429 --> https://bugzilla.netfilter.org/attachment.cgi?id=429 Kernel patch to allow NONE to work with other statuses Adding kernel patch. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Nov-30 21:38 UTC
[Bug 875] iptables -m conntrack --ctstatus NONE,EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED
https://bugzilla.netfilter.org/show_bug.cgi?id=875 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-11-30 22:38:27 CET --- Please submit your patch to netfilter-devel at vger.kernel.org with your signed-off-by, thanks. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Reasonably Related Threads
- [Bug 873] New: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
- [Bug 874] New: Any conntrack conditions specified with --ctstate INVALID are not checked
- [Bug 826] New: libiptc/libip6tc.h doesn't specify C linkage
- [Bug 882] New: The conntrack-tools archive contains some leftovers from a patch run
- [Bug 1077] New: New traffic reduces conntrack timeout