What does this mean?

> Hi,
>
> I have a firewall running on openwrt. When I load the new policy I  
> get the
> following warning:
>
> Running prolog script
> Logged in
> Activating firewall script generated Mon Jul 13 15:03:21 2009 by  
> tdiehl
> Rule 0 (NAT)
> Rule 1 (NAT)
> Rule 2 (NAT)
> Using intrapositioned negation (`--option ! this`) is deprecated in  
> favor of extrapositioned (`! --option this`).
> ...
>
> Rule 11 (global)
> Using intrapositioned negation (`--option ! this`) is deprecated in  
> favor of extrapositioned (`! --option this`).
> Using intrapositioned negation (`--option ! this`) is deprecated in  
> favor of extrapositioned (`! --option this`).
>
> ...
>
> Any idea what this means and how to make iptables happy?
> fwb version == 3.0.4 build 794 iptables ver == v1.4.3.2.

>>
>
> It looks like the following rules from the .fw file are generating  
> the warnings:
>
> echo "Rule 2 (NAT)"
> #
> # Dnat rule for ben
> $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp  -s ! 192.168.1.0/24  -
> d my.ext.ip.addr --dport 3389 -j DNAT --to-destination 192.168.1.4
>
> #
> # Rule 13 (global)
> #
> echo "Rule 13 (global)"
> #
> # Ports fwded to Ben
> #
> $IPTABLES -A OUTPUT -p tcp -m tcp  -s ! 192.168.1.0/24  -d  
> 192.168.1.4  --dport 3389  -m state --state NEW  -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -m tcp  -s ! 192.168.1.0/24  -d  
> 192.168.1.4  --dport 3389  -m state --state NEW  -j ACCEPT
>
> If I disable the rules that generate the above, the warnings go  
> away. I am
> guessing from the warnings that instead of -s ! the preferred syntax  
> is
> ! -s .
>
> Does this make sense to you?

>
> On Jul 13, 2009, at 6:16 PM, Tom Diehl wrote:
>
>>>
>>
>> It looks like the following rules from the .fw file are generating
>> the warnings:
>>
>> echo "Rule 2 (NAT)"
>> #
>> # Dnat rule for ben
>> $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp  -s ! 192.168.1.0/24  -
>> d my.ext.ip.addr --dport 3389 -j DNAT --to-destination 192.168.1.4
>>
>> #
>> # Rule 13 (global)
>> #
>> echo "Rule 13 (global)"
>> #
>> # Ports fwded to Ben
>> #
>> $IPTABLES -A OUTPUT -p tcp -m tcp  -s ! 192.168.1.0/24  -d
>> 192.168.1.4  --dport 3389  -m state --state NEW  -j ACCEPT
>> $IPTABLES -A FORWARD -p tcp -m tcp  -s ! 192.168.1.0/24  -d
>> 192.168.1.4  --dport 3389  -m state --state NEW  -j ACCEPT
>>
>> If I disable the rules that generate the above, the warnings go
>> away. I am
>> guessing from the warnings that instead of -s ! the preferred syntax
>> is
>> ! -s .
>>
>> Does this make sense to you?
>
>
>
> yes, this makes sense. Now I need to figure out when (what version)
> did they make this change in iptables .
>
>
>
> Vadim Kurland ✍
> vadim@...
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited  
> time,
> vendors submitting new applications to BlackBerry App World(TM) will  
> have
> the opportunity to enter the BlackBerry Developer Challenge. See  
> full prize
> details at: http://p.sf.net/sfu/Challenge
> _______________________________________________
> Fwbuilder-discussion mailing list
> Fwbuilder-discussion@...
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion

> On Mon, 13 Jul 2009, Vadim Kurland ✎ wrote:
>
>>
>> also, could you please open a bug on SourceForge ?
>
> Done!! bug # is 2821050. Also it looks like the warning was added
> in version 1.4.3.2 of iptables. The changelog is here: http://marc.info/?l=netfilter-devel&m=123901795723602&q=p3
>
> Hope this helps.
>

> Regards,
>
> --  
> Tom Diehl tdiehl@... Spamtrap address mtd123@...
>
>
>>
>> --vk
>>
>> On Jul 13, 2009, at 6:29 PM, Vadim Kurland ✎ wrote:
>>
>>> On Jul 13, 2009, at 6:16 PM, Tom Diehl wrote:
>>>> It looks like the following rules from the .fw file are generating
>>>> the warnings:
>>>> echo "Rule 2 (NAT)"
>>>> #
>>>> # Dnat rule for ben
>>>> $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp  -s !  
>>>> 192.168.1.0/24  -
>>>> d my.ext.ip.addr --dport 3389 -j DNAT --to-destination 192.168.1.4
>>>> #
>>>> # Rule 13 (global)
>>>> #
>>>> echo "Rule 13 (global)"
>>>> #
>>>> # Ports fwded to Ben
>>>> #
>>>> $IPTABLES -A OUTPUT -p tcp -m tcp  -s ! 192.168.1.0/24  -d
>>>> 192.168.1.4  --dport 3389  -m state --state NEW  -j ACCEPT
>>>> $IPTABLES -A FORWARD -p tcp -m tcp  -s ! 192.168.1.0/24  -d
>>>> 192.168.1.4  --dport 3389  -m state --state NEW  -j ACCEPT
>>>> If I disable the rules that generate the above, the warnings go
>>>> away. I am
>>>> guessing from the warnings that instead of -s ! the preferred  
>>>> syntax
>>>> is
>>>> ! -s .
>>>> Does this make sense to you?
>>> yes, this makes sense. Now I need to figure out when (what version)
>>> did they make this change in iptables .
>>> Vadim Kurland ✍
>>> vadim@...
>>> ------------------------------------------------------------------------------
>>> Enter the BlackBerry Developer Challenge
>>> This is your chance to win up to $100,000 in prizes! For a limited  
>>> time,
>>> vendors submitting new applications to BlackBerry App World(TM)  
>>> will have
>>> the opportunity to enter the BlackBerry Developer Challenge. See  
>>> full prize
>>> details at: http://p.sf.net/sfu/Challenge
>>> _______________________________________________
>>> Fwbuilder-discussion mailing list
>>> Fwbuilder-discussion@...
>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>>
>> Vadim Kurland ✍
>> vadim@...
>>
>>
>>
>>
>>
> ------------------------------------------------------------------------------
> Enter the BlackBerry Developer Challenge
> This is your chance to win up to $100,000 in prizes! For a limited  
> time,
> vendors submitting new applications to BlackBerry App World(TM) will  
> have
> the opportunity to enter the BlackBerry Developer Challenge. See  
> full prize
> details at: http://p.sf.net/sfu/Challenge_______________________________________________
> Fwbuilder-discussion mailing list
> Fwbuilder-discussion@...
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion