two negatived parameters

Cedric Blancher blancher at
Mon Sep 6 11:00:19 CEST 2004

Le lun 06/09/2004 à 10:28, Akolinare at a écrit :
> I create a rule, which should only match if source and destination are not
> the given. I think that it is easy and try the following rule:
> iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT
> But with this rule pakets from host1 to host3 (or from host2 to host3) were
> not affected. It seems like the logical combination is OR and not AND unlike
> the not negatived rule.

When you build a rule, all parameters are combined with an AND, and it's
logical (to me) that it is style the case here. When you write :

	iptables -A FORWARD -s host1 -d host2 -j ACCEPT

You say :

	if packet is (from host1) AND (to host2) then ACCEPT

Now, if you negate a parameter, you only negate this one, not a couple
of them. So you get :

	if packet is (not from host1) AND (not to host2) then ACCEPT

Which can be translated as :

	if packet is not (from host1 OR to host2) then ACCEPT

And it explains why your packets are not matched, as your test packet is
from host1. So there's no bug (imho) ;)

But there's something about the second packet that should matche (host2
to host3). Can you confirm that this very packet does not match ? As
Alistair, I did a similar test (iptables 1.2.11 on 2.6.5 kernel) on a
double negative rule and it matched.

PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

More information about the netfilter mailing list