Hi,
I were testing shorewall with some configuration and found a bug in
shorewall version 3.4.4.
It seems to be there in iptables as well.
23:51 < justin007> I were testing shorewall and got a bug which seems
to be there in netfilter as well.
23:51 < justin007> iptables -t mangle -A tcpost -i lan1 -s
192.168.10.10 -o wan1 -p tcp --dport 22 -j CLASSIFY --set-class 1:11
23:52 < justin007> in tcpost the -i interface name is invalid,
iptables takes it though.
23:53 < jengelh> interesting
23:53 < jengelh> actually
23:53 < jengelh> ...
23:55 < jengelh> and, is it bad? no.
23:55 < jengelh> it does not crash the machine so all is fine for now
23:57 < justin007> yes it does not crach the machine. But it matches
all ports, *. which is not expected behaviour. man page does say that
the -i interfacenmae option is valid only in pre,
foreward, input chains
23:57 < justin007> Just wanted to mention this.
23:59 < jengelh> right
23:59 < jengelh> post it to the mailing list (or I will do) so noone
forgets about it
Day changed to 15 Feb 2008
00:00 < justin007> please do post, I would need to join the list in
the first place :-)
00:01 < jengelh> you don't need to subscribe
00:01 < jengelh> just post to netfilter-devel@vger
00:01 < justin007> ok, I will post.
00:02 < jengelh> "Use of interface specification (e.g. -i) is not
checked against hooks when custom chain is used"
00:02 < jengelh> iptables -N foo; iptables -A foo -i eth0; iptables -A
OUTPUT -j foo;
00:03 < jengelh> That's all :)
00:03 < jengelh> short, sweet and to the point
00:05 < justin007> where is that from, I don't see it with man iptables
00:05 < jengelh> oh I just wrote that
00:05 < jengelh> that's what I would have written into the mail
00:05 < justin007> :-)
-justin
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
