Antony Stone wrote: > > On Tuesday 18 June 2002 4:50 pm, Christoph Gossen wrote: > > > Hello, > > > > I think there's a bug in the behaviour of the multiport module - for > > example, a line like > > > > iptables -p tcp -A OUTPUT -m multiport ! --dport 25 -j DROP > > > > causes the same behaviour as > > > > iptables -p tcp -A OUTPUT -m multiport --dport 25 -j DROP > > > > or > > > > iptables -p tcp -A OUTPUT --dport 25 -j DROP > > > > and NOT (as one would expect) that one caused by > > > > iptables -p tcp -A OUTPUT ! --dport 25 -j DROP > > > > Inverting the (set of) port(s) due to the "!" sign in the first line > > above is just ignored > > (no syntax error occures)! > > > > Any comments? > > I don't use the multiport match myself, but I'd expect it to be: > > iptables -p tcp -A OUTPUT -m multiport --dport ! 25 -j DROP
I have already tried this - it causes a syntax error "invalid port/service `!' specified" (everything ok with this, to me). > > In other words "a destination port which isn't 25".... > > What does that do for you ? > > I note from the man page for iptables, though, that --dport has the [ ! ] > option, but "multiport --dport" doesn't, so maybe negating multiports is not > supported at all ? This is what I assume, too. However, the "!" should not be silently ignored then but rather a syntax error should arise (to avoid confusion, or even a potential source of error). Herv� Eychenne wrote: ... > multiport option is "--dports", not "--dport"... > > RV This is not quite right, as one can abbreviate down to even "--dp" (I guess THIS is really a intended feature and not a bug). I forgot to mention the iptables version I tried: It was version 1.2.2 and 1.2.6a. Greetings, Christoph
