[Bug 875] New: iptables -m conntrack --ctstatus NONE, EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sat Nov 23 13:48:28 CET 2013
https://bugzilla.netfilter.org/show_bug.cgi?id=875
Summary: iptables -m conntrack --ctstatus NONE,EXPECTED is not
consistent with --ctstatus SEEN_REPLY,EXPECTED
Product: iptables
Version: 1.4.x
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: quentin at armitage.org.uk
Estimated Hours: 0.0
Created attachment 428
--> https://bugzilla.netfilter.org/attachment.cgi?id=428
Patch for iptables to allow NONE to work with other statuses
If --ctstatus SEEN_REPLY,EXPECTED is specified, it matches on either SEEN_REPLY
or EXPECTED. On the other hand, if --ctstatus NONE,EXPECTED is specified, it
only matches on EXPECTED, and doesn't match on NONE; but to be consistent,
--ctstatus NONE,EXPECTED should match on either NONE or EXPECTED.
This is demonstrated by entering the following:
iptables -I CHAIN 1 -m conntrack --ctstatus NONE,EXPECTED -j LOG
iptables -nvL CHAIN 1
where it can be seen that the NONE has been 'lost'.
I think there are three possible solutions to this:
i) Drop NONE altogether, ! --ctstatus EXPECTED,ASSURED,SEEN_REPLY,CONFIRMED
does the same as --ctstatus NONE
ii) Don't allow NONE to be specified with any of the other statuses.
iii) Make NONE be treated in the same say as the other statuses for status
comparison.
i) would break existing configurations.
ii) might also break existing configurations (but not any restored with
iptables-restore).
The advantages of i) and ii) is that they are simple. Although ii) would make
some configurations loaded from scripts fail,
the configurations wouldn't have worked as intended since the NONE would have
been silently ignored.
iii) gives the greatest flexibility, but also requires a small patch to the
kernel.
The attached patches implement option iii).
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list