Re: intrapositioned and extrapositioned negation

[Mart Frauenlob <mart.frauenlob@xxxxxxxxx>]

netfilter-owner@xxxxxxxxxxxxxxx wrote:
> Mart Frauenlob wrote:
>  
> > Mart Frauenlob wrote:
> >    
> > > Hello,
> > >
> > > today I installed iptables 1.4.5 and discovered my ruleset produces
> > > those warnings about intrapositioned  negation:
> > > Using intrapositioned negation (`--option ! this`) is deprecated in
> > > favor of extrapositioned (`! --option this`).
> > >
> > > I haven't completely looked up the changelogs, but from what I've
> > > found on the internet, this was introduced with 1.4.3.1, right?
> > >
> > > However, my ruleset is automatically generated by a self written shell
> > > script, which I now need to change.
> > > It needs to work with any 2.6 kernel and with 2.4 kernels supporting
> > > iptables.
> > > As my testing options (hardware, time) are limited, I'm asking if
> > > someone knows:
> > >
> > > Will 2.4 kernels and older iptables versions accept the
> > > extrapositioned (`! --option this`) notation?
> > > If so, I can rewrite my script to always use extrapositioned syntax.
> > > Lot's of work, but ok...
> > >
> > > If not, what kernel / iptables versions do only understand the old
> > > deprecated way?
> > > So I can query for them and take the appropriate steps.
> > >
> > > Thanks a lot!
> > >       
> > Nobody knows?
> > Well, I've found some old virtual machines, tested it with debian woody
> > and sarge, using kernel 2.4.18.bf2-4 and 2.6.18 and extrapositioned
> > negation does not seem to cause problems.
> > Am I right to assume, that all 2.4 kernels with iptables support - DON'T
> > have troubles using extrapositioned negation???
> >     
>
> The kernel doesn't care about how you specify negation, its purely
> a userspace thing. So yes, it should work properly on any kernel
> version.
>   

Hello netfilter-owner@xxxxxxxxxxxxxxx :)

thanks for pointing that out.
In my second post I forgot to ask about the compatible iptables version.
The lowest version I tested on debian woody is: 1.2.6a.
Rephrased, do I have to expect problems using extrapositioned negation 
on older iptables versions?

Sidenote to the devels ;-P :
The man page has documented intrapositioned negation for years, this is 
the only note in the changelog for 1.4.3.2:
> iptables: print negation extrapositioned
>   

It's like with the DROP in the nat table, a short note in the change 
log, and the whole world has to find out what's going on, and change 
their programs/scripts.
Imho, changes like those should be worth a few explaining sentences.

Thanks and regards


Mart

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html