On Monday 2008-12-08 15:57, Max Kellermann wrote:
>iptables-save misplaces the exclamation mark (negation): it puts the
>the exclamation mark before the option name, although the option is
>documented as requiring the negation specifier before the arguments.
>
>Example:
>
> --tcp-flags [!] mask comp
>
>iptables-save generates the following:
>
> -A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK SYN -j ACCEPT
The documentation is correct with what iptables outputs:
[!] --tcp-flags mask comp
Match when the TCP flags are as specified. The first argument
mask is the flags which we should examine, written as a comma-
separated list, and the second argument comp is a comma-sepa‐
rated list of flags which must be set. Flags are: SYN ACK FIN
RST URG PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN
and RST flags unset.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
