[Bug 875] New: iptables -m conntrack --ctstatus NONE, EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sat Nov 23 13:48:28 CET 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=875

           Summary: iptables -m conntrack --ctstatus NONE,EXPECTED is not
                    consistent with --ctstatus SEEN_REPLY,EXPECTED
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: quentin at armitage.org.uk
   Estimated Hours: 0.0


Created attachment 428
  --> https://bugzilla.netfilter.org/attachment.cgi?id=428
Patch for iptables to allow NONE to work with other statuses

If --ctstatus SEEN_REPLY,EXPECTED is specified, it matches on either SEEN_REPLY
or EXPECTED. On the other hand, if --ctstatus NONE,EXPECTED is specified, it
only matches on EXPECTED, and doesn't match on NONE; but to be consistent,
--ctstatus NONE,EXPECTED should match on either NONE or EXPECTED.

This is demonstrated by entering the following:
iptables -I CHAIN 1 -m conntrack --ctstatus NONE,EXPECTED -j LOG
iptables -nvL CHAIN 1
where it can be seen that the NONE has been 'lost'.

I think there are three possible solutions to this:
i) Drop NONE altogether, ! --ctstatus EXPECTED,ASSURED,SEEN_REPLY,CONFIRMED
does the same as --ctstatus NONE
ii) Don't allow NONE to be specified with any of the other statuses.
iii) Make NONE be treated in the same say as the other statuses for status
comparison.

i) would break existing configurations.
ii) might also break existing configurations (but not any restored with
iptables-restore).

The advantages of i) and ii) is that they are simple. Although ii) would make
some configurations loaded from scripts fail,
the configurations wouldn't have worked as intended since the NONE would have
been silently ignored.

iii) gives the greatest flexibility, but also requires a small patch to the
kernel.

The attached patches implement option iii).

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list