On Wed, Jul 24, 2013 at 11:11:48PM +0200, Jozsef Kadlecsik wrote:
> On Wed, 24 Jul 2013, Pablo Neira Ayuso wrote:
> > But this does not:
> >
> > --to-source 1.1.1.1-1.1.1.10:telnet-http
> > iptables v1.4.19.1: SNAT: Bad value for "--to" option:
> > "1.1.1.1-1.1.1.10:telnet-ssh"
> >
> > I think it should, for consistency (even if I have to confess that it
> > looks a bit ugly to me).
> >
> > If you decide to address this and send me a new version to support
> > this, then it would be also good to update the manpage to say that we
> > support services starting 1.4.20.
>
> That is still ambiguous - there are service names with dash. So I suggest
> to support the notation '[name-with-dash]' in order to explicitly express
> and handle such cases.
Or perhaps as an alternative, we don't allow more than one port if one
wishes to use service names? It seems the port parser is going to get so
complicated it will lead to bugs. Particularly since ip6tables uses [ ] for
addresses to disambiguate them from the :port section. Now we'd have to be
able to handle multiple [] arguments.
So these would be acceptable:
:22-23
:ssh
:wap-push (port 2948)
this would not:
:ssh-telnet
Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
