netfilter buglog - Jun 2012 - [Bug 794] New: -f option used with iptables

http://bugzilla.netfilter.org/show_bug.cgi?id=794

           Summary: -f option used with iptables
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: shrivastavaone at gmail.com
   Estimated Hours: 0.0


kernel version is 2.6.35+
I am defining following ACL

iptables -A INPUT -p icmp -i eth1 -m iprange --src-range
172.31.114.1-172.31.114.254 -m iprange --dst-range 192.168.1.1-192.168.1.254 -j
DROP

with above rule i can dop all icmp packets on eth1 interface
but when i add -f option to deny on fragmented packets rule doesnt work

iptables -A INPUT -p icmp -i eth1 -m iprange --src-range
172.31.114.1-172.31.114.254 -m iprange --dst-range 192.168.1.1-192.168.1.254 -f
-j DROP

My abjective is to deny only fragmented packets with specified ip, protocol and
interface and "-f" option doesnt seem to work

Thanks and Regards,
Rahul Shrivastava

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=794

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pablo at netfilter.org
         AssignedTo|netfilter-buglog at lists.netf |pablo at netfilter.org
                   |ilter.org                   |

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-02-14
17:16:52 CET ---
>From iptables man page:
       [!] -f, --fragment
              This  means  that the rule only refers to second and further
fragments of fragmented packets.  Since there is no way to tell the source or
destination  ports of  such  a packet (or ICMP type), such a packet will not
match any rules which specify them.  When the "!" argument precedes
the "-f"
flag, the rule will only match head fragments, or unfragmented packets.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.