bugzilla-daemon@netfilter.org
2003-Feb-03 15:52 UTC
[Bug 37] icmp match defaults to --icmp-type icmp-echo-reply
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From laforge@netfilter.org 2003-02-03 16:52 -------
Incompatible solutions:
1) have a special value meaning "no icmp type specified", for example
-1 (0xFF)
would mean "any"
2) create a possibility to match a range of icmp types, and initialize the
range to [0,max_icmp_type]
3) use a bitmask instead of a range where each bit would mean a specific
icmp type
Option 1) could be implemented without changing the size of the match
struct, the other two would involve changing the size of the match struct.
I've checked the kernel source, specifying -1 for old kernels would mean
'match nothing', thus our beloved compatibility equations would be like
this:
1) old kernel - new iptables
when ANY icmp type is specified, no packets would be matched, this is
different from the current behaviour when icmp type 0 is matched (PONG).
when a usual icmp type is specified everything works correctly.
2) new kernel - old iptables
no problem.
The question is whether we can live with the incompatibility of matching
nothing instead of PONG when no --icmp-type is specified.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-03 15:54 UTC
[Bug 37] icmp match defaults to --icmp-type icmp-echo-reply
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37 ------- Additional Comments From laforge@netfilter.org 2003-02-03 16:54 ------- yes, this is perfectly fine. matching 'pong' when no icmp-type is specified was never advertised as a feature. It's a misbehaviour which is now going to be corrected. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-23 11:15 UTC
[Bug 37] icmp match defaults to --icmp-type icmp-echo-reply
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37
bazsi@balabit.hu changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From bazsi@balabit.hu 2003-02-23 12:13 -------
Created an attachment (id=5)
userspace patch
------- Additional Comments From bazsi@balabit.hu 2003-02-23 12:14 -------
Created an attachment (id=6)
kernel patch
------- Additional Comments From bazsi@balabit.hu 2003-02-23 12:15 -------
I've added two untested but trivial patches which should fix the issue.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-25 09:07 UTC
[Bug 37] icmp match defaults to --icmp-type icmp-echo-reply
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37 ------- Additional Comments From bazsi@balabit.hu 2003-02-25 10:07 ------- I've tested the patches and they seem to work in general. Once note though: iptables-save writes --icmp-type any as --icmp-type 255 (e.g. the type is always written numerically) The question is whether 255 should be resolved as 'any' ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Feb-25 10:50 UTC
[Bug 37] icmp match defaults to --icmp-type icmp-echo-reply
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=37 ------- Additional Comments From laforge@netfilter.org 2003-02-25 11:50 ------- patch accepted, thanks a lot. I have now added a special case in the save() function to solve the --type 255 issue. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
Seemingly Similar Threads
- [Bug 37] New: icmp match defaults to --icmp-type icmp-echo-reply
- [Bug 55] ICMP translation problem with local NAT
- [Bug 55] New: ICMP translation problem with local NAT
- [Bug 34] Redirecting udp packets to closed port gives bad icmp error
- [Bug 87] 'iplimit' match is misnamed, should be 'tcplimit'