Jan Engelhardt wrote, On 2011-11-08 17:44:
On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
sim@xxxxxxxxxxx wrote, On 2011-11-08 17:16:
What's the effect of this rule on a multihomed box
(the IPs below are just some examples, not real):
iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
the newest version of iptables says:
iptables v1.4.12.1: ! not allowed with multiple source or destination IP
addresses
Oh, one wonders why they did so...
Because it leads to a confusing result.
! -d a,b,c
could be reasonably interpreted as
! -d a&& ! -d b&& ! -d c
but because using "," in -s/-d means a simple rule expansion, it
actually generates an equivalent of
! -d a || ! -d b || ! -d c
But OR'ing them IMHO doesn't make much sense, just think about it.
I would suggest to AND them.
Look, a normal rule like this one
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
matches only if every single part of it matches (ie. AND).
Then in our negation case above it should behave similar,
and not switch to OR.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
