June 9th, 2003

belize

netfilter

I want to run a memcached process on a shared server (goathack), listening on 127.0.0.1:11211, but memcached doesn't have any sort of authentication (maybe later), so I have to restrict its access to just connections from the "ljtest" user.

I thought this would be easy with netfilter:

# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP

But....

iptables: Invalid argument

So, I find Debian stable's is old (1.2.6a). I build the latest version and get:

iptables v1.2.8: Unknown arg `--dport'

(but --dport should be loaded implicitly by -p tcp)

So I look at the relevant code and find:
/* If you listen carefully, you can
   actually hear this code suck. */

/* some explanations (after four different bugs
 * in 3 different releases): If we encounter a
 * parameter, that has not been parsed yet,
 ... [snipped] ....

Great. *yawn*

Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP

Update #2: But it can't reload this config later. Filed a bug.