Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 9 Nov 2011, Amos Jeffries wrote:

> On Tue, 08 Nov 2011 22:59:37 +0100, U.Mutlu wrote:
> > Jozsef Kadlecsik wrote, On 2011-11-08 21:22:
> > > On Tue, 8 Nov 2011, U.Mutlu wrote:
> > > 
> > > > Jan Engelhardt wrote, On 2011-11-08 17:44:
> > > > > On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
> > > > > 
> > > > > > sim@xxxxxxxxxxx wrote, On 2011-11-08 17:16:
> > > > > > > > What's the effect of this rule on a multihomed box
> > > > > > > > (the IPs below are just some examples, not real):
> > > > > > > > 
> > > > > > > >      iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
> > > > > > > > 
> > > > > > > 
> > > > > > > the newest version of iptables says:
> > > > > > > 
> > > > > > > iptables v1.4.12.1: ! not allowed with multiple source or
> > > > > > > destination IP
> > > > > > > addresses
> > > > > > 
> > > > > > Oh, one wonders why they did so...
> > > > > 
> > > > > Because it leads to a confusing result.
> > > > > 
> > > > > 	! -d a,b,c
> > > > > 
> > > > > could be reasonably interpreted as
> > > > > 
> > > > > 	! -d a&&   ! -d b&&   ! -d c
> > > > > 
> > > > > but because using "," in -s/-d means a simple rule expansion, it
> > > > > actually generates an equivalent of
> > > > > 
> > > > > 	! -d a || ! -d b || ! -d c
> > > > 
> > > > But OR'ing them IMHO doesn't make much sense, just think about it.
> > > > I would suggest to AND them.
> > > > Look, a normal rule like this one
> > > >    iptables -A INPUT -m state --state NEW -p tcp --dport  80 -j ACCEPT
> > > > matches only if every single part of it matches (ie. AND).
> > > > Then in our negation case above it should behave similar,
> > > > and not switch to OR.
> > > 
> > > The matches are AND-ed. However the individual matches may generate OR
> > > conditions, like multiport.
> > > 
> > > What you suggest means that while
> > > 
> > > 	-d a,b
> > > 
> > > is interpreted as "a" OR "b", then
> > > 
> > > 	! -d a,b
> > > 
> > > should be interpeted as NOT "a" AND NOT "b".
> > > 
> > > I think that'd be pretty confusing.
> 
> As opposed to interpreting both as "any of this set":
> 
>  (a OR b)
> versus
>   NOT (a OR b)
> 
> Which can be stated in the docs.

But the latter is not possible due to the implementation: the matches in a 
rule form AND conditions while rules do OR conditions. The list of IP 
addresses in "-d" and "-s" is just a shorthand notation and is exploded 
into that many elementary rules.

So the condition "-d a,b" is equivalent to "-d a OR -d b" which is exactly 
the two rules generated from the single one. However if "! -d a,b" is to 
be interpreted as "NOT (-d a OR -d b)", that is actually "(NOT -d a) AND 
(NOT -d b)" which just cannot be exploded into two rules.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux