Expert Opinion (Posts about protocol)http://findlay.space/enContents © 2020 <a href="mailto:justin@findlay.space">jmoney</a> <a rel="license" href="https://creativecommons.org/licenses/by-nc-sa/4.0/"> <img alt="Creative Commons License BY-NC-SA" style="border-width:0; margin-bottom:12px;" src="https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png"></a>Fri, 11 Sep 2020 20:35:47 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssiptables: -p vs --proto vs --protocolhttp://findlay.space/posts/iptables-p-vs-proto-vs-protocol/jmoney<div><p>Observe the following three iptables commands:</p> <pre class="code bash"><a name="rest_code_dff2252adf5547e3b7f0cc96e8241d71-1"></a><span class="c1"># iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy -p esp --dir in --pol ipsec --reqid 1 -j ACCEPT</span> <a name="rest_code_dff2252adf5547e3b7f0cc96e8241d71-2"></a><span class="c1"># iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --proto esp --dir in --pol ipsec --reqid 1 -j ACCEPT</span> <a name="rest_code_dff2252adf5547e3b7f0cc96e8241d71-3"></a><span class="c1"># iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --protocol esp --dir in --pol ipsec --reqid 1 -j ACCEPT</span> </pre><p>Whereas <code class="docutils literal"><span class="pre">--proto</span></code> is a valid synonym for <code class="docutils literal"><span class="pre">--protocol</span></code> (as are <code class="docutils literal"><span class="pre">-p</span></code>, <code class="docutils literal"><span class="pre">--proto[c[o[l]]]</span></code>), if it, namely the exact token <code class="docutils literal"><span class="pre">--proto</span></code>, appears in the rule after <code class="docutils literal"><span class="pre">-m</span> policy</code>, it will be appropriated by the policy extension of iptables. Indeed, the resulting rules as reported by <code class="docutils literal">iptables <span class="pre">-vL</span></code> are:</p> <pre class="code bash"><a name="rest_code_1a7c5b1bc9414eac82bdedd45ac283a5-1"></a><span class="c1"># iptables -vL</span> <a name="rest_code_1a7c5b1bc9414eac82bdedd45ac283a5-2"></a>Chain INPUT <span class="o">(</span>policy ACCEPT <span class="m">0</span> packets, <span class="m">0</span> bytes<span class="o">)</span> <a name="rest_code_1a7c5b1bc9414eac82bdedd45ac283a5-3"></a> pkts bytes target prot opt in out <span class="nb">source</span> destination <a name="rest_code_1a7c5b1bc9414eac82bdedd45ac283a5-4"></a> <span class="m">0</span> <span class="m">0</span> ACCEPT esp -- eth0 any <span class="m">10</span>.20.0.0/24 <span class="m">10</span>.10.0.0/24 policy match dir in pol ipsec reqid <span class="m">1</span> <a name="rest_code_1a7c5b1bc9414eac82bdedd45ac283a5-5"></a> <span class="m">0</span> <span class="m">0</span> ACCEPT all -- eth0 any <span class="m">10</span>.20.0.0/24 <span class="m">10</span>.10.0.0/24 policy match dir in pol ipsec reqid <span class="m">1</span> proto esp <a name="rest_code_1a7c5b1bc9414eac82bdedd45ac283a5-6"></a> <span class="m">0</span> <span class="m">0</span> ACCEPT esp -- eth0 any <span class="m">10</span>.20.0.0/24 <span class="m">10</span>.10.0.0/24 policy match dir in pol ipsec reqid <span class="m">1</span> </pre><p>This token overloading is an unfortunate design conflict, and such subtlety <a class="reference external" href="https://github.com/saltstack/salt/pull/47113">confounded SaltStack's iptables state module</a>, though not its execution module. It's also really confusing unless you know that <code class="docutils literal"><span class="pre">--proto</span></code> can be used in two distinct ways in two distinct places.</p> <p>So, according to the <a class="reference external" href="http://man7.org/linux/man-pages/man8/iptables.8.html">iptables(8)</a> and <a class="reference external" href="http://man7.org/linux/man-pages/man8/iptables-extensions.8.html">iptables-extensions(8)</a> man pages, <code class="docutils literal"><span class="pre">-p</span></code>, <code class="docutils literal"><span class="pre">--proto[c[o[l]]]</span></code> specify "The protocol of the rule or of the packet to check." and <code class="docutils literal"><span class="pre">--proto</span></code> as used by the IPSec policy extension matches the encapsulation protocol. Evidently the encapsulation protocol is different from <em>the</em> protocol used for IPSec traffic. I still have more to learn about this, otherwise I would be more helpful here.</p></div>IPSeciptableslinuxnetworkingprotocolhttp://findlay.space/posts/iptables-p-vs-proto-vs-protocol/Thu, 12 Apr 2018 23:43:40 GMT