Re: the impossible "iptables -C" option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2004-07-24 at 03:56, Antony Stone wrote:
>
> I understand it to mean "check what would happen to a packet of this type if 
> it went through the ruleset"

Yup, that's what it did under ipchains. :)

> > What is "packet payload"? How does it make the "--check" option impossible
> > to be implemented?
> 
> It makes it impossible to implement --check because there's no way to provide 
> the payload on the command line.

Not quite true as you would just use a sting match, same as you would in
a filtering rule.

The problem is a majority of the time check would end up reporting "it
depends". For example what if you try and check what would happen to "a
packet coming from the Internet to an internal system from 22/TCP to an
upper port number, with the ACK flag set and "foo" in the payload. You
may not have a rule that specifically lets this traffic through, but it
might actually pass if it ends up being a state match due to an initial
outbound SYN packets. So how iptables would handle this packet "depends"
on what traffic went by prior to it.

The check option has said it would be implemented "real soon now" since
iptables was alpha code. I'm guessing the option will never happen. Its
just a carry over from ipchains. ;-)

HTH,
C






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux