search

azet / capirca

Fork: Multi-platform ACL generation system
https://code.google.com/p/capirca
Apache License 2.0
0 stars 0 forks source link

generator outputs default "-P FORWARD DROP" policy for iptables even if not specified #9

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Create basic policy with a header for INPUT, OUTPUT, and FORWARD.
2. Do not specify the default DROP/ACCEPT in the header.
3. Run generator.
4. Notice that the output .ipt file has this in it.

-P FORWARD DROP

What is the expected output? What do you see instead?

Expected Output:
No "-P FORWARD" entry at all in the file

Witnessed Output:
-P FORWARD DROP

Please use labels and text to provide additional information.

drop, forward, policy, default, iptables. ipt, generator

Original issue reported on code.google.com by kristian...@gmail.com on 26 Apr 2010 at 9:36

GoogleCodeExporter commented 9 years ago 
This is expected/intended behavior.  

From 'iptables.py':
635       if self._PLATFORM == 'iptables' and filter_name == 'FORWARD':
636         default_action = 'DROP'

When a default policy is not specified for FORWARD filter, it defaults to DROP.
To avoid the unexpected output, either specify default action of ACCEPT or do 
not define a FORWARD target.

Original comment by watson@google.com on 12 Jul 2011 at 7:16