Re: osf match, --ttl & --log options missing in iptables[-save] [-[L|S]]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 27.12.2012 07:25, Born Without wrote:

Hello list!


# $IPTABLES -N FOO
# $IPTABLES -A FOO -p tcp --dport 445 -m osf --genre Windows --ttl 1
--log 1
# $IPTABLES -S FOO
-N FOO
-A FOO -p tcp -m tcp --dport 445 -m osf --genre Windows

kernel: 3.2.35
iptables: 1.4.16.3


iptables -[L|S] and iptables-save seem to miss the --ttl and --log options.
Therefore on restore, those settings get omitted.
Looks like a bug to me!? If so, should I report it to some bug-tracker
or so?



Yet another things with osf, that I noticed:

(installed vanilla 3.7.1 kernel to test)
Using this test ruleset to collect probes to my firewalls external interface, which does not allow any NEW (ctstate) connection, then divide by windows and non windows hosts: 

$IPSET create other_probers hash:ip
$IPSET create windows_probers hash:ip
$IPTABLES -N PROBERS
$IPTABLES -A PROBERS -m set --match-set windows_probers src -j RETURN
$IPTABLES -A PROBERS -m set --match-set other_probers src -j RETURN
$IPTABLES -A PROBERS -p tcp -m osf --genre Windows --ttl 1 -j SET --add-set windows_probers src $IPTABLES -A PROBERS -p tcp -m osf --genre Windows --ttl 1 -j SET --add-set windows_probers src $IPTABLES -A PROBERS -p tcp -m osf ! --genre Windows --ttl 1 -j SET --add-set other_probers src 
$IPTABLES -I INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -j PROBERS
The result is, that the two rules with the '--genre' and the negated '! --genre', always both match, though that should not be, of course. 
The two sets always contain the same ip addresses.
So the negation is not working at all.

iptables -vS output:
-A PROBERS -m set --match-set windows_probers src -c 4 192 -j RETURN
-A PROBERS -m set --match-set other_probers src -c 0 0 -j RETURN
-A PROBERS -p tcp -m osf --genre Windows -c 4 192 -j SET --add-set windows_probers src -A PROBERS -p tcp -m osf --genre ! Windows -c 4 192 -j SET --add-set other_probers src 


The other thing is:

The man page says, it operates on SYN packets.
When I reduce the match using '-m tcp --syn', nothing gets matched by osf anymore. 

Best regards
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux