- Subject: Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)
- From: Jan Engelhardt <jengelh@xxxxxxxxxx>
- Date: Tue, 8 Nov 2011 17:44:33 +0100 (CET)
- Cc: netfilter@xxxxxxxxxxxxxxx
- In-reply-to: <j9bkr5$a5f$1@dough.gmane.org>
- User-agent: Alpine 2.01 (LNX 1266 2009-07-14)
On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
> sim@xxxxxxxxxxx wrote, On 2011-11-08 17:16:
>>> What's the effect of this rule on a multihomed box
>>> (the IPs below are just some examples, not real):
>>>
>>> iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
>>>
>>
>> the newest version of iptables says:
>>
>> iptables v1.4.12.1: ! not allowed with multiple source or destination IP
>> addresses
>
> Oh, one wonders why they did so...
Because it leads to a confusing result.
! -d a,b,c
could be reasonably interpreted as
! -d a && ! -d b && ! -d c
but because using "," in -s/-d means a simple rule expansion, it
actually generates an equivalent of
! -d a || ! -d b || ! -d c
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
