[Bug 904] New: Matching ah without optional argument gives unintuitive result

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Feb 13 16:18:38 CET 2014


https://bugzilla.netfilter.org/show_bug.cgi?id=904

           Summary: Matching ah without optional argument gives
                    unintuitive result
           Product: iptables
           Version: 1.4.x
          Platform: arm
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: saltyacid at gmail.com
   Estimated Hours: 0.0


Found on version 1.4.19.1 and concerns both iptables and ip6tables.

How to use -m ah is described here:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-6.html

# ip6tables -A INPUT -m ah --ahspi 500 -j DROP

# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ah spi:500


However, ignoring the optional argument --ahspi gives a check that we match
SPI=0 (I would think that the normal behavior is to not care about the spi at
all).

So if we do:
# ip6tables -A INPUT -m ah -j DROP

We get:
# ip6tables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all      anywhere             anywhere           ah spi:0

To me, this should either be changed if possible or else ahspi should not be
optional or it must be well documented as the current implementation fools
people. 

While googling I have seen a few places where:
ip6tables -A INPUT -m ah -j DROP
was used and did definitely not give the correct result (to what the author
wanted)

Of course you can use ! --ahspi 0 to match all but one spi but this is just a
workaround.

I would imagine that the behavior for --espspi is the same.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list