bugzilla-daemon at netfilter.org
2013-Nov-23 12:31 UTC
[Bug 873] New: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
https://bugzilla.netfilter.org/show_bug.cgi?id=873
Summary: iptables -I CHAIN -m conntrack ! --ctproto 0 is
intended to produce an error message, but it doesn't
(usually)
Product: iptables
Version: 1.4.x
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: quentin at armitage.org.uk
Estimated Hours: 0.0
Created attachment 426
--> https://bugzilla.netfilter.org/attachment.cgi?id=426
Patch to correct check for --ctproto 0
There are three issues in the code:
i) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
ii) in conntrack_mt_parse it is testing (info->invert_flags &
XT_INV_PROTO)
before the invert bit has been set.
iii) the sense of the error message is the wrong way round
i) To get the error, ! -ctstatus XXX has to be specified, since XT_INV_PROTO
=XT_CONNTRACK_STATUS
e.g. iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...
iii) Unlike --proto 0 (where 0 means all protocols), in the conntrack match
--ctproto 0 appears to mean protocol 0, which can never be. Therefore --ctproto
0 could never match and ! --ctproto 0 will always match. Both of these should
be rejected, since the user clearly cannot be intending what was specified.
The attached patch resolves the issue, and also produces an error message if
--ctproto 0 is specified (as well as ! --ctproto 0 ), since --ctproto 0 will
never match, and ! --ctproto 0 will always match.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Nov-30 21:37 UTC
[Bug 873] iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
https://bugzilla.netfilter.org/show_bug.cgi?id=873
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter at linuxace.com
--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-11-30
22:37:46 CET ---
Please submit your patch to netfilter-devel at vger.kernel.org with your
signed-off-by, thanks.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Possibly Parallel Threads
- [Bug 873] iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
- [Bug 875] New: iptables -m conntrack --ctstatus NONE, EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED
- [Bug 874] New: Any conntrack conditions specified with --ctstate INVALID are not checked
- [Bug 93] New: iptables -L format bug
- Permission denied