[Bug 562] Rule gets implicitly eliminated ("optimized away") --> But that's not ok --> A Logic Bug

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Nov 25 19:13:01 CET 2008


http://bugzilla.netfilter.org/show_bug.cgi?id=562


for-openvz at alicewho.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




------- Comment #2 from for-openvz at alicewho.com  2008-11-25 19:13 -------
(In reply to comment #1)
> >   # BUG: if "-p tcp" is left out or if instead "-p all" is used then the rule
> gets eliminated!
> >  /sbin/iptables -A INPUT -p tcp --dport 139 --match recent --name WATCHLIST
> --set -j DROP
> 
> Yes, because that is an invalid rule without "-p tcp", since you are including
> "--dport 139".
> 
> Please ask your question about this on the netfilter user mailing list, as
> there is nothing wrong with iptables here, only your rules.  

Hmm. I think you you got me wrong. 
It is a general issue, port 139 above was just a bad example.
Let's replace it with say port 8191.
The goal is to DROP all connect attempts to port 8191 AND
put such clients to the WATCHLIST AND deny them any further
contact for 20 seconds:

...
  # if anybody from the list WATCHLIST, and in the last 20 sec, tries to do new
connect attempts then DROP them!
  /sbin/iptables -A INPUT --match recent --name WATCHLIST --rcheck --seconds 20
-j DROP

  # if anybody tries to connect to port 8191, then drop them and add them to
the WATCHLIST
  # BUG: if "-p XXX" is left out or if instead "-p all" is used then the rule
gets eliminated!
  /sbin/iptables -A INPUT --dport 8191 --match recent --name WATCHLIST --set -j
DROP
...

The above isn't working. The last rule is missing in the output list.
If one specifies a protocol (for example "-p tcp") then it works,
but that's not the intention here because the rule shall be valid
all protocols on this port 8191.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the netfilter-buglog mailing list