lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 8 Oct 2012 02:14:53 +0200 (CEST)
From:	Jan Engelhardt <jengelh@...i.de>
To:	Pablo Neira Ayuso <pablo@...filter.org>
cc:	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
	netfilter@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
	lwn@....net
Subject: Re: [ANNOUNCE] iptables 1.4.16.1 release


On Monday 2012-10-08 01:17, Pablo Neira Ayuso wrote:
>The Netfilter project proudly presents:
>
>        iptables 1.4.16.1
>
>iptables -I INPUT -j ACCEPT
>says:
>iptables: No chain/target/match by that name.
>This also breaks iptables-restore, of course. Jan, you'll have to explain
>me how you have tested this.

This was tested by adding rules with different targets that had both
aliases defined and those without.

 ./iptables/xtables-multi main4 -t raw -N foo
 ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
 with kernels that had xt_CT and no xt_CT at all

 ./iptables/xtables-multi main4 -N foo
 ./iptables/xtables-multi main4 -A foo -m state --state NEW
 with kernels that had xt_conntrack.3, and xt_conntrack.3 removed
 (leaving only xt_conntrack.2)

 ./iptables/xtables-multi main4 -t raw -N bar
 ./iptables/xtables-multi main4 -t raw -A bar -j MARK --set-xmark 1
 ./iptables/xtables-multi main4 -t raw -A foo -j bar

plus of course the "standard" (no pun intended) testsuite that we
had so far:

 # ./iptables/xtables-multi restore6 tests/options-most.rules 
 WARNING: --localtz is being replaced by --kerneltz, since "local" is ambiguous.
 Note the kernel timezone has caveats - see manpage for details.

As you spotted, options-most.rules did not include -j <verdict>.

While v1.4.16-1-g2aaa7ec fixes -j verdict, it breaks NOTRACK in all
instances. To reuse a line, "you'll have to explain me how you have
tested this."

A patch to what I think should fly is posted as a reply hereto.
Please give that a spin.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ