Package: iptables
Version: 1.4.11.1-2
Severity: normal
What's wrong:
[ibanez ~]sudo iptables -A OUTPUT ! --fragment -j LOG
iptables v1.4.11.1: cannot have ! before -f
Try `iptables -h' or 'iptables --help' for more information.
(Simple `! -f' causes the same error report.) This is contrary to
previous versions, and the manpage:
[!] -f, --fragment
This means that the rule only refers to second and further frag
ments of fragmented packets. [...]
Digging at the source code reveals that the message comes from
iptables/iptables.c:set_option, which checks the `inverse_for_options'
vector. This is a rather grim affair which lists inverse flags for
various options, with comments explaining what each entry is meant to
be.
static const int inverse_for_options[NUMBER_OF_OPT] =
{
[...]
/* -i */ IPT_INV_VIA_IN,
/* -o */ IPT_INV_VIA_OUT,
/* -f */ IPT_INV_FRAG,
/*--line*/ 0,
/* -c */ 0,
};
Just above it is another table, also with a NUMBER_OF_OPT dimension,
and the table furniture commentry lists the corresponding options
again, but this time in a different order:
static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
/* Well, it's better than "Re: Linux vs FreeBSD" */
{
/* -n -s -d -p -j -v -x -i -o --line -c -f */
[...]
Since OPT_FRAGMENT is defined as:
#define OPT_FRAGMENT 0x00800U
that corresponds to bit 11, which matches the second table. So it
looks to me like someone with fat fingers botched the order of the
entries in the inverse-flags table.
After doing `git bisect' manually on the upstream gitweb, I accuse
commit f1e71016dddb65709afe0746a96a3fefbec3ba27.
(This caused one of my servers not to start properly because the
firewall script bombed out halfway through and -- by design -- failed
secure. Needless to say, I'm a bit miffed about that. I've inserted a
ghastly hack involving an auxiliary chain to fake the negation, but
it's rather grim as workarounds go.)
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.39-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iptables depends on:
ii libc6 2.13-7 Embedded GNU C Library: Shared lib
ii libnfnetlink0 1.0.0-1 Netfilter netlink library
iptables recommends no packages.
iptables suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
