Fix incorrect addition of rule to PREROUTING mangle chain#1
Open
albertmichaelj wants to merge 1 commit intomasterfrom
Open
Fix incorrect addition of rule to PREROUTING mangle chain#1albertmichaelj wants to merge 1 commit intomasterfrom
albertmichaelj wants to merge 1 commit intomasterfrom
Conversation
In the current iptables init script, the mangle chain has a rule added to jump to the MINIUPNPD table in the mangle chain added to PREROUTING. However, if you look at `iptables_removeall.sh`, it tries to remove the rule from the `FORWARD` chain instead. This changes the init script to add the jump rule to the FORWARD table instead of the PREROUTING table.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In the current iptables init script, the mangle table has a rule added to jump to the MINIUPNPD chain in the mangle table added to PREROUTING. However, if you look at
iptables_removeall.sh, it tries to remove the rule from theFORWARDchain instead (see the line here. This changes the init script to add the jump rule to the FORWARD chain instead of the PREROUTING chain.When this is not done, the mangle table is not properly reset on calling the
iptables_removeall.shscript. Specifically the rule jumping to MINIUPNPD and the MINIUPNPD chain itself remain (though rules are correctly flushed). Additionally, there is an error message in the logs as follows:To be frank, I am not certain that the intended chain to add the jump rule to is the FORWARD chain. The mistake might be in
iptables_removeall.shin trying to remove the rule from theFORWARDchain. However, to the best I can understand, the mangle table is used to adjust the DSCP of incoming packets (though to be clear, I don't understand when and why this is done in the UPnP protocol), and by looking at other examples online, it seems like the FORWARD chain on the mangle table is the most common place to adjust DSCP values. Additionally, the git blame for the line iniptables_removeall.shshows that the FORWARD chain was used first (iptables_removeall.shwas edited nine years ago to add the removal rule, whileiptables_init.shwas added two years ago). All of this leads me to believe that the correct chain is the FORWARD chain.