Brad Fitzpatrick (brad) wrote,
Brad Fitzpatrick


I want to run a memcached process on a shared server (goathack), listening on, but memcached doesn't have any sort of authentication (maybe later), so I have to restrict its access to just connections from the "ljtest" user.

I thought this would be easy with netfilter:

# iptables -A OUTPUT -p tcp -d --dport 11211 -m owner \! --uid-owner 1033 -j DROP


iptables: Invalid argument

So, I find Debian stable's is old (1.2.6a). I build the latest version and get:

iptables v1.2.8: Unknown arg `--dport'

(but --dport should be loaded implicitly by -p tcp)

So I look at the relevant code and find:
/* If you listen carefully, you can
   actually hear this code suck. */

/* some explanations (after four different bugs
 * in 3 different releases): If we encounter a
 * parameter, that has not been parsed yet,
 ... [snipped] ....

Great. *yawn*

Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d -j DROP

Update #2: But it can't reload this config later. Filed a bug.

  • Happy Birthday!

    Happy 20th Birthday, LiveJournal! 🐐🎂🎉

  • hi

    Posting from the iPhone app. Maybe I'm unblocked now.

  • Why, hello...

    Long time no see. How's my baby doing?

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.