Displaying 2 results from an estimated 2 matches for "invert_flags".
2013 Mar 20
2
netfilter+libvirt=(smth got broken?)
Hello,
I'm having problem setting up filtering traffic for a virtual machine
managed by libvirt. Strange thing is, such a setup has been working fine
for me on an older version of distro (namely, opensuse 11.3 w/updates,
kernel 2.6.34, libvirt 0.8.8) but refused to work on shiny new opensuse
12.4 (kernel 3.7.10, libvirt 1.0.2).
The definition of filter in question is pretty simple:
2013 Nov 23
1
[Bug 873] New: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
...ours: 0.0
Created attachment 426
--> https://bugzilla.netfilter.org/attachment.cgi?id=426
Patch to correct check for --ctproto 0
There are three issues in the code:
i) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
ii) in conntrack_mt_parse it is testing (info->invert_flags & XT_INV_PROTO)
before the invert bit has been set.
iii) the sense of the error message is the wrong way round
i) To get the error, ! -ctstatus XXX has to be specified, since XT_INV_PROTO ==
XT_CONNTRACK_STATUS
e.g. iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...
iii) Un...