<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:rwhite@pobox.com" title="Robert White <rwhite@pobox.com>"> <span class="fn">Robert White</span></a>
</span> changed
<a class="bz_bug_link
bz_status_NEW "
title="NEW - Allow for multiple protocols to be specified in a rule"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1057">bug 1057</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>rwhite@pobox.com
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Allow for multiple protocols to be specified in a rule"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1057#c2">Comment # 2</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Allow for multiple protocols to be specified in a rule"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1057">bug 1057</a>
from <span class="vcard"><a class="email" href="mailto:rwhite@pobox.com" title="Robert White <rwhite@pobox.com>"> <span class="fn">Robert White</span></a>
</span></b>
<pre>I am not an authority here by any means, but I spotted this while checking
whether a different idea of mine would be a duplicate...
The problem I see is that your example conflates syntax and value.
So you asked for:
{udp, tcp} sport domain ip daddr 127.0.0.1 accept
Which you want to be equivalent to the working syntax
tcp sport domain ip daddr 127.0.0.1 accept
udp sport domain ip daddr 127.0.0.1 accept
But in this case the "udp" and "tcp" respectively introduce the syntax for
"sport" instead of being just a selector for the protocol numeric value. After
all, other ip protocols like "icmp" don't have any ports, source or
destination.
Note that you can select for multiple protocols by value using "meta protocol":
add rule example foo meta protocol { udp, tcp } ip daddr 127.0.0.1 accept
But the actual rule you asked for is problematic because other (think raw
numeric) protocols may generate packets that aren't even long enough for the
lookup of the memory that might hold "sport" to be present.
But what happens for
add rule example foo meta protocol { udp, tcp, 73 } sport domain ip daddr
127.0.0.1 accept
Does protocol 73 even have an sport value?
The necessary underlying code seems like it'd get back to being awfully twisty.
A unified header of some name that has all the common fields for tcp, udp, and
anything else that happens to line up (sctp? udplite?) (much like "inet"
unified "ip" and "ipv6") might be worthwhile eventually to get to dport and
sport entries, but it might get confusing or elaborate compared to the system
speed and focus targets for the project.
Something like u16 matching could do this explicity (is that even an thing in
iftables?) but that "optimization" would probably be slower than just having
two rules.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>