On Sun, Dec 15, 2013 at 08:06:24PM +0300, ZenSecurity wrote:
> Kernel version: Linux lab 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64
> GNU/Linux
>
> # iptables -t nat -L
> DNAT tcp -- domain.com anywhere owner GID match
> usergroup to: X.X.X.X:80
>
> Rule:
> iptables -t nat -A OUTPUT -o eth0 -p tcp -s X.X.X.X -m owner --gid-owner
> usergroup -j DNAT --to-destination X.X.X.X:80;
>
> Doesn't match (usergroup exist).
Works fine here, on kernel.org kernel.
[root@f20_main ~]# uname -r
3.13.0-rc1+
[root@f20_main ~]# iptables -t nat -A OUTPUT -m owner --gid-owner 1000
[root@f20_main ~]# su - phil
[phil@f20_main ~]$ id
uid=1000(phil) gid=1000(phil) groups=1000(phil)
[phil@f20_main ~]$ ping -c1 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=1.02 ms
--- 10.10.10.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.022/1.022/1.022/0.000 ms
[phil@f20_main ~]$ logout
[root@f20_main ~]# iptables -t nat -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 1 packets, 84 bytes)
pkts bytes target prot opt in out source destination
1 84 all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1000
I suggest filing a bug with Debian bugzilla if you suspect a problem in a Debian
kernel.
Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
