bugzilla-daemon at netfilter.org
2013-Nov-23 12:31 UTC
[Bug 873] New: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
https://bugzilla.netfilter.org/show_bug.cgi?id=873 Summary: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually) Product: iptables Version: 1.4.x Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: quentin at armitage.org.uk Estimated Hours: 0.0 Created attachment 426 --> https://bugzilla.netfilter.org/attachment.cgi?id=426 Patch to correct check for --ctproto 0 There are three issues in the code: i) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask ii) in conntrack_mt_parse it is testing (info->invert_flags & XT_INV_PROTO) before the invert bit has been set. iii) the sense of the error message is the wrong way round i) To get the error, ! -ctstatus XXX has to be specified, since XT_INV_PROTO =XT_CONNTRACK_STATUS e.g. iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ... iii) Unlike --proto 0 (where 0 means all protocols), in the conntrack match --ctproto 0 appears to mean protocol 0, which can never be. Therefore --ctproto 0 could never match and ! --ctproto 0 will always match. Both of these should be rejected, since the user clearly cannot be intending what was specified. The attached patch resolves the issue, and also produces an error message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since --ctproto 0 will never match, and ! --ctproto 0 will always match. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Nov-30 21:37 UTC
[Bug 873] iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
https://bugzilla.netfilter.org/show_bug.cgi?id=873 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-11-30 22:37:46 CET --- Please submit your patch to netfilter-devel at vger.kernel.org with your signed-off-by, thanks. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Possibly Parallel Threads
- [Bug 873] iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
- [Bug 875] New: iptables -m conntrack --ctstatus NONE, EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED
- [Bug 874] New: Any conntrack conditions specified with --ctstate INVALID are not checked
- [Bug 93] New: iptables -L format bug
- Permission denied