Roger Price a écrit : > On Sun, 22 Nov 2015, Pascal Hambourg wrote: > >> No, it means to match anything but TCP. There are many other protocols >> than TCP, UDP and ICMP. > > Aha! Does this mean that chapter 10.1 of the iptables tutorial at > https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#GENERICMATCHES > is both syntactically and semantically wrong? I'm afraid yes. I had read this tutorial but hadn't spotted this big mistake. I wonder where it comes from. I have searched in early releases of iptables, but "all" or 0 has consistently meant "all", not just TCP, UDP and ICMP. > Quoting: << ALL means that it matches only TCP, UDP and ICMP. If this > match is given the integer value of zero (0), it means ALL protocols, > which in turn is the default behavior, if the --protocol match is not > used. This match can also be inversed with the ! sign, so --protocol ! tcp > would mean to match UDP and ICMP. >> > > Should this say: > > << ALL matches every protocol given in /etc/protocols, i.e. all protocols > in the interval (0..255). ALL is the default behaviour and can also be > specified by writing 0 (zero). The match may be reversed by writing "! > --protocol x" which means all the 256 protocol numbers except x. E.g. "! > -p tcp" means the protocols in intervals (0..5) and (7..255). >> Yes, or just quote the relevant part of the manpage : [!] -p, --protocol protocol The protocol of the rule or of the packet to check. The speci- fied protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the special keyword "all", or it can be a numeric value, representing one of these protocols or a differ- ent one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. "all" will match with all protocols and is taken as default when this option is omitted. Note that, in ip6tables, IPv6 extension headers except esp are not allowed. esp and ipv6-nonext can be used with Kernel version 2.6.11 or later. The number zero is equivalent to all, which means that you cannot test the protocol field for the value 0 directly. To match on a HBH header, even if it were the last, you cannot use -p 0, but always need -m hbh. > If people have believed the tutorial and used "! -p icmp" as a shorthand > for "TCP and UDP", then they will be letting through more than they > expect. Bottom line : do not trust tutorials too much. Read the manpage. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
