Re: Bad press again...
* Michael Stone:
> On Tue, Aug 30, 2005 at 12:17:22AM +0200, Florian Weimer wrote:
>>I think this part of the diff is pretty instructive, together with
>>upstream's explanation:
>
> Frankly, no, it's not.
>
>> if [ -n "$MACLIST_TTL" ]; then
>> chain1=$(macrecent_target $interface)
>> createchain $chain1 no
>>- run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
>>- run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT
>>- run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT
>>+ run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
>>+ run_iptables -A $chain -j $chain1
>>+ run_iptables -A $chain -m recent --update --name $chain -j RETURN
>>+ run_iptables -A $chain -m recent --set --name $chain
>> fi
>
> I still have no idea what "chain1=$(macrecent_target $interface)" means.
It evaluates to the recent match chain for the particular interface.
There is one such chain for each interface on which this feature has
been enabled.
> I'm not sure why there's both an "update" and an "rcheck"--the man page
> says they're equivalent, except that update has an additional side
> effect. But if that's the case, why put the update in at all, since
> there's a return after the rcheck and you'll never get to the update.
The chains are different, $chain vs. $chain1.
> Presumably that has something to do with the mysterious chain1. If we
> pull up the full source we find that macrecent_target
> is defined as
> macrecent_target() # $1 - interface
> {
> [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
> }
> and we enter a maze of twisty functions, all alike.
It evaluates to eth0_rec in my test setup (in contrast to eth0_mac for
the chain which performs the actual MAC checks). The relevant part of
the ACL loooks like this:
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
20 1734 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
20 1734 eth0_mac all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
985 757K net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_mac (2 references)
pkts bytes target prot opt in out source destination
4 240 eth0_rec all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 120 name: eth0_mac side: source
1 60 eth0_rec all -- * * 212.9.189.171 0.0.0.0/0 MAC 00:0D:60:39:11:D8
0 0 eth0_rec all -- * * 212.9.189.165 212.9.189.175
0 0 eth0_rec all -- * * 212.9.189.160/28 255.255.255.255
0 0 eth0_rec all -- * * 212.9.189.160/28 224.0.0.0/4
15 1434 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:eth0_mac:REJECT:'
15 1434 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_rec (5 references)
pkts bytes target prot opt in out source destination
4 240 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE name: eth0_mac side: source
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: eth0_mac side: source
Note the ACCEPT in eth0_rec.
What further information do you need?
Reply to: