Tue, 16 Oct 2001 01:11:05 -0700
On Tue, Oct 16, 2001 at 09:46:35AM +0200, Harald Welte wrote:
> First of all, excuse the huge delay. Seems like everybody (including myself)
> was too busy during the last weeks.
It's no problem. I understand how that goes.
> Ok. I wonder why people blame the distributors for something like this -
> it should be passed on to us...
Yeah well I am on Mandrake's security team and when we put out the
update to fix some other security issue in iptables I managed to figure
this issue out and then pass it along to you guys. Some users don't
understand the idea of directly letting you know.
> You are right. The double -t is problematic. Theoretically this would
> be legal (it should work on a "iptables -t ... -t ..." line [i guess the last
> table is used]), it cannot work. The whole set of rules between
> Is commited as one transaction into the kernel. And a single operation can
> only work on a single table.
This would explain why my work arounds of removing the automatically
generated -t if there was already one present. And explains why I found
the parser very confusing.
> ok. I'll consider your patch, though I'm not sure if there is a more clean
> way of solving the problem. Maybe the iptables core should refuse taking
> two "-t " options at all.
I'm not sure. I did what I did as a quick work around. I tried mucking
around with the core but I'm just not familiar enough with the whole
system to be very effective.
Ben Reser <email@example.com>
"To fight and conquer in all our battles is not supreme excellence.
Supreme excellence consists in breaking the enemy's resistance without
fighting." -Chinese philosopher Sun Tzu