Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On Tue, 08 Nov 2011 22:59:37 +0100, U.Mutlu wrote:
Jozsef Kadlecsik wrote, On 2011-11-08 21:22:On Tue, 8 Nov 2011, U.Mutlu wrote:Jan Engelhardt wrote, On 2011-11-08 17:44:On Tuesday 2011-11-08 17:19, U.Mutlu wrote:sim@xxxxxxxxxxx wrote, On 2011-11-08 17:16:What's the effect of this rule on a multihomed box (the IPs below are just some examples, not real): iptables -A INPUT ! -d 22.214.171.124,126.96.36.199 -p all -j DROPthe newest version of iptables says:iptables v188.8.131.52: ! not allowed with multiple source or destination IPaddressesOh, one wonders why they did so...Because it leads to a confusing result. ! -d a,b,c could be reasonably interpreted as ! -d a&& ! -d b&& ! -d c but because using "," in -s/-d means a simple rule expansion, it actually generates an equivalent of ! -d a || ! -d b || ! -d cBut OR'ing them IMHO doesn't make much sense, just think about it. I would suggest to AND them. Look, a normal rule like this oneiptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPTmatches only if every single part of it matches (ie. AND). Then in our negation case above it should behave similar, and not switch to OR.The matches are AND-ed. However the individual matches may generate ORconditions, like multiport. What you suggest means that while -d a,b is interpreted as "a" OR "b", then ! -d a,b should be interpeted as NOT "a" AND NOT "b". I think that'd be pretty confusing.
As opposed to interpreting both as "any of this set": (a OR b) versus NOT (a OR b) Which can be stated in the docs.Confusion and clarity is just a matter of having the right description. A technical reason should be the only blocker here.
AYJ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html