iptables: -p vs --proto vs --protocol

Observe the following three iptables commands:

# iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy -p esp --dir in --pol ipsec --reqid 1 -j ACCEPT
# iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --proto esp --dir in --pol ipsec --reqid 1 -j ACCEPT
# iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --protocol esp --dir in --pol ipsec --reqid 1 -j ACCEPT


Whereas --proto is a valid synonym for --protocol (as are -p, --proto[c[o[l]]]), if it, namely the exact token --proto, appears in the rule after -m policy, it will be appropriated by the policy extension of iptables. Indeed, the resulting rules as reported by iptables -vL are:

# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     esp  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1
0     0 ACCEPT     all  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1 proto esp
0     0 ACCEPT     esp  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1


This token overloading is an unfortunate design conflict, and such subtlety confounded SaltStack's iptables state module, though not its execution module. It's also really confusing unless you know that --proto can be used in two distinct ways in two distinct places.

So, according to the iptables(8) and iptables-extensions(8) man pages, -p, --proto[c[o[l]]] specify "The protocol of the rule or of the packet to check." and --proto as used by the IPSec policy extension matches the encapsulation protocol. Evidently the encapsulation protocol is different from the protocol used for IPSec traffic. I still have more to learn about this, otherwise I would be more helpful here.

A Pleasant Discovery

In the course of technological events arising from the labor of one's job, frequently the occasion occurs that one finds oneself either forestalled by uncertainty and variability in setting up an unfamiliar system/tool or confused by the complexity of such system/tool and its unwholesome documentation or both. (The appreciable frequency of this scenario being one of the reasons why filtering on flat task lists for job candidates often proves so foolhardy even as it is defended as the safe choice. Rather, Aristotle I think would advise not to look upon a person's resume, but at what that person will do next.)

Conjecture Threshold

Today at his blog, Peter Woit responded to some rebuke or other from the stringeratti cabal on his disrespect for their sacred creed and its inevitable ascendance. He's got a severe commenting policy there and I don't begrudge it. I can imagine someone with his votive alert for bullshit borne out of disgust of general delusion as an ecclesiastical order coopts fundamental physics in a way everyone loves to compare to the celebrated hubris that was shattered 113 years ago--I can imagine someone in his position carefully inscribing himself from the ruling academic class with an appreciable buffer that protects comments as well.

But this is my blog and, waxing bold in my own sovereign licensure, I have neither professional apprehension towards the high court of ivy strangled decorum nor reverence for an ostensible ranking of living minds and I grant myself permanent freedom to post whatever I fancy. The following comment was deemed inappropriate for the curated safe comment space on the blog itself:

If we're now in the business of measuring and comparing the 'intelligence' housed in discrete human instances, I'd say that Woit's smarter than any of those anointed to ascend into the high ivory tower incapable of discerning that the multiverse has no clothes, despite whatever whizbang smoke and mirrors they're able to conjure in its favor.

If this comment seems gratuitously homenim, it's because I err towards frustration with the status quo keepers of the theoretical enterprises in fundamental physics rather than wanting or not to construct Woit paean.

Print all iptables rules

It is unfortunate that iptables does not have a simple builtin option that does this, as I'm too impatient to type out this loop every time I need to see what's really going on. I'm for sure too impatient to type out 5 parallel commands. The -S option does not give the same useful formatting as -L and no option can be combined with -vL to request the rules from all tables. I may just have to add this to my shell init.

for table in filter nat mangle raw security ; do printf "\n===== %s =====\n" $table ; sudo iptables -vL -t$table ; done


Anecdotally

Many years ago I watched an excellent documentary about violinists in which Itzhak Perlman likened the violinist's bow to an "artist's paintbrush", describing how each requires "a lifetime to master". Likewise, I have personal second hand anecdotes from Pinchas Zukerman saying things like the symphonic orchestra is the greatest of all instruments, and that when someone asks you what you play, you should respond that you "play the bow".

From my 24 years of viola playing, I can substantiate these two metaphorical idioms about the bow with my own vicissitudes of the bow kind.

HowTo Get a Site's Certificate Fingerprint

I finally got around to setting up TLS to the IRC servers that I use. It is incredible that this is not default or that there does not even seem to be conventional ports. Freenode suggests 6697, 7000, and 7070, but there is an independent draft standard for 6697.

Skew

Monday of this week I synthesized a combination of two obvious observations into a pair of aphorisms:

When hacking while wearing a black hat, one must string together a sequence of bugs to do one's 'job'.

When doing anything else in life, one's job must be done by stringing together a sequence of bug workarounds.

What Can You See: A Guide (Rant) on Commenting

I occasionally find code examples online where the author, in their effort to fully communicate the breadth and detail of a proposition and solution, has commented almost every, or every single line of code.

The Dystopia of Merit

I have long thought about the thesis of and cultured indignation against the rapidly evolving phenomena detailed in this article. I read/skim ~70 articles per day, so it is rare for me to read an entire article, but I recommend you to read this one as I have done. Normally I only have to read a few sentences or sometimes even the title and a few sentences before I can gauge the argument, tone, evidence, and novelty contained in an article, know how I will assent as much against my own worldview bias, or don't care. I have been reading the news for so long and have formed a comprehensive library of opinions and perspectives and can already reduce most articles to a few data transactions against the representative opinions. This is, however, the subject of another post.