[Bug 904] New: Matching ah without optional argument gives unintuitive result
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Feb 13 16:18:38 CET 2014
https://bugzilla.netfilter.org/show_bug.cgi?id=904
Summary: Matching ah without optional argument gives
unintuitive result
Product: iptables
Version: 1.4.x
Platform: arm
OS/Version: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: saltyacid at gmail.com
Estimated Hours: 0.0
Found on version 1.4.19.1 and concerns both iptables and ip6tables.
How to use -m ah is described here:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-6.html
# ip6tables -A INPUT -m ah --ahspi 500 -j DROP
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ah spi:500
However, ignoring the optional argument --ahspi gives a check that we match
SPI=0 (I would think that the normal behavior is to not care about the spi at
all).
So if we do:
# ip6tables -A INPUT -m ah -j DROP
We get:
# ip6tables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere ah spi:0
To me, this should either be changed if possible or else ahspi should not be
optional or it must be well documented as the current implementation fools
people.
While googling I have seen a few places where:
ip6tables -A INPUT -m ah -j DROP
was used and did definitely not give the correct result (to what the author
wanted)
Of course you can use ! --ahspi 0 to match all but one spi but this is just a
workaround.
I would imagine that the behavior for --espspi is the same.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list