[Bug 561180] New: iptables -m recent ! (invert) does not work for --seconds --hitcount --rcheck contrary to the documentation
http://bugzilla.novell.com/show_bug.cgi?id=561180 http://bugzilla.novell.com/show_bug.cgi?id=561180#c0 Summary: iptables -m recent ! (invert) does not work for --seconds --hitcount --rcheck contrary to the documentation Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: support@microtechniques.com QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=331235) --> (http://bugzilla.novell.com/attachment.cgi?id=331235) Sample script to reproduce error. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) man iptables documents ! --seconds, ! --hitcount, and ! --rcheck for the -m recent module. The command accepts the options but does not correctly implement them. I did not test the other options that are also supposed to support !. I have provided details for the --seconds option below, but --hitcount and --rcheck seem to fail in the same way. Consider: echo "match recent seconds test" iptables -A dummy -o net1 -m recent --name testip --rdest --rcheck --seconds 60 -m comment --comment "normal" -j LOG --log-prefix "seconds normal " iptables -A dummy -o net1 -m recent --name testip --rdest --rcheck ! --seconds 60 -m comment --comment "inverted" -j LOG --log-prefix "seconds inverted " ping 10.168.1.16 -c 2 iptables -L dummy -n -v With two identical commands except the --seconds option in the second is inverted. The same packet should not match both rules. A dump of the chain, however, shows two IDENTICAL entries. 2 168 LOG all -- * net1 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 name: testip side: dest/* normal */ LOG flags 0 level 4 prefix `seconds normal ' 2 168 LOG all -- * net1 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 name: testip side: dest/* inverted */ LOG flags 0 level 4 prefix `seconds inverted ' That they are, in fact, identical is verified by a trace: TRACE: filter:dummy:rule:2 IN= OUT=net1 SRC=10.168.1.11 DST=10.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=23566 SEQ=1 UID=0 GID=0 seconds normal IN= OUT=net1 SRC=10.168.1.11 DST=10.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=23566 SEQ=1 TRACE: filter:dummy:rule:3 IN= OUT=net1 SRC=10.168.1.11 DST=10.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=23566 SEQ=1 UID=0 GID=0 seconds inverted IN= OUT=net1 SRC=10.168.1.11 DST=10.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=23566 SEQ=1 TRACE: filter:dummy:return The same packet - 23566 - matched both the normal and the inverted rule. The complete test script is attached as a separate file Reproducible: Always Steps to Reproduce: 1. See script fragments above or attached sample script 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561180 http://bugzilla.novell.com/show_bug.cgi?id=561180#c shuang qiu <sqiu@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sqiu@novell.com AssignedTo|bnc-team-screening@forge.pr |puzel@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561180 http://bugzilla.novell.com/show_bug.cgi?id=561180#c Petr Uzel <puzel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561180 http://bugzilla.novell.com/show_bug.cgi?id=561180#c1 Jan Engelhardt <jengelh@medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jengelh@medozas.de AssignedTo|puzel@novell.com |jengelh@medozas.de --- Comment #1 from Jan Engelhardt <jengelh@medozas.de> 2010-01-19 17:11:22 UTC --- The manpage is not reflecting the kernel behavior here, which I will fix. xt_recent only has one global negation, but which can be enabled by giving it to at least one of --set, --rcheck, --update or --seconds. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561180 http://bugzilla.novell.com/show_bug.cgi?id=561180#c2 --- Comment #2 from Don Hughes <support@microtechniques.com> 2010-01-19 17:17:37 UTC --- Jan, Even if it is only a single global negation, the same packet should not match both rules. I think there is more than just a documentation issue here. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561180 http://bugzilla.novell.com/show_bug.cgi?id=561180#c3 Jan Engelhardt <jengelh@medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |puzel@novell.com --- Comment #3 from Jan Engelhardt <jengelh@medozas.de> 2010-01-19 17:26:35 UTC --- ! --seconds should clearly be rejected, but instead iptables just ignore the ! currently. Does that answer your implicit question? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=561180 http://bugzilla.novell.com/show_bug.cgi?id=561180#c4 --- Comment #4 from Don Hughes <support@microtechniques.com> 2010-01-19 21:11:34 UTC --- Thanks. Hopefully that can be corrected. This is the type of bug that really bothers me - one where reasonable input yields incorrect/unexpected results without any indication of an error. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=561180 https://bugzilla.novell.com/show_bug.cgi?id=561180#c5 Jan Engelhardt <jengelh@medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #5 from Jan Engelhardt <jengelh@medozas.de> 2011-06-01 00:01:05 UTC --- Fixed in v1.4.11. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com