On Wed, 9 Nov 2011, Amos Jeffries wrote: > On Tue, 08 Nov 2011 22:59:37 +0100, U.Mutlu wrote: > > Jozsef Kadlecsik wrote, On 2011-11-08 21:22: > > > On Tue, 8 Nov 2011, U.Mutlu wrote: > > > > > > > Jan Engelhardt wrote, On 2011-11-08 17:44: > > > > > On Tuesday 2011-11-08 17:19, U.Mutlu wrote: > > > > > > > > > > > sim@xxxxxxxxxxx wrote, On 2011-11-08 17:16: > > > > > > > > What's the effect of this rule on a multihomed box > > > > > > > > (the IPs below are just some examples, not real): > > > > > > > > > > > > > > > > iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP > > > > > > > > > > > > > > > > > > > > > > the newest version of iptables says: > > > > > > > > > > > > > > iptables v1.4.12.1: ! not allowed with multiple source or > > > > > > > destination IP > > > > > > > addresses > > > > > > > > > > > > Oh, one wonders why they did so... > > > > > > > > > > Because it leads to a confusing result. > > > > > > > > > > ! -d a,b,c > > > > > > > > > > could be reasonably interpreted as > > > > > > > > > > ! -d a&& ! -d b&& ! -d c > > > > > > > > > > but because using "," in -s/-d means a simple rule expansion, it > > > > > actually generates an equivalent of > > > > > > > > > > ! -d a || ! -d b || ! -d c > > > > > > > > But OR'ing them IMHO doesn't make much sense, just think about it. > > > > I would suggest to AND them. > > > > Look, a normal rule like this one > > > > iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT > > > > matches only if every single part of it matches (ie. AND). > > > > Then in our negation case above it should behave similar, > > > > and not switch to OR. > > > > > > The matches are AND-ed. However the individual matches may generate OR > > > conditions, like multiport. > > > > > > What you suggest means that while > > > > > > -d a,b > > > > > > is interpreted as "a" OR "b", then > > > > > > ! -d a,b > > > > > > should be interpeted as NOT "a" AND NOT "b". > > > > > > I think that'd be pretty confusing. > > As opposed to interpreting both as "any of this set": > > (a OR b) > versus > NOT (a OR b) > > Which can be stated in the docs. But the latter is not possible due to the implementation: the matches in a rule form AND conditions while rules do OR conditions. The list of IP addresses in "-d" and "-s" is just a shorthand notation and is exploded into that many elementary rules. So the condition "-d a,b" is equivalent to "-d a OR -d b" which is exactly the two rules generated from the single one. However if "! -d a,b" is to be interpreted as "NOT (-d a OR -d b)", that is actually "(NOT -d a) AND (NOT -d b)" which just cannot be exploded into two rules. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
