iptables: regression in 1.8.9 with -n breaks portblock in resource-agents
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| iptables |
Fix Released
|
Unknown
|
|||
| iptables (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
In iptables 1.8.9, a regression was introduced that changes the behavior of the -n flag.
Previously, supplying -n would *not* display numerical values for the "prot" column of the -L output:
# iptables --version
iptables v1.8.7 (nf_tables)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
However, with the faulty patch, this changed to numerical values:
# iptables --version
iptables v1.8.9 (legacy)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
This breaks parsing in the resource-agents package, namely the portblock resource agent.
Parsing has since been relaxed in resource-agents: https:/
There is an upstream bug report:
https:/
For reference, there is also a report with the Debian project: https:/
The offending commit was reverted upstream:
https:/
But the revert has not been released yet.
Ubuntu Noble ships version 1.8.10 of iptables, which is still affected. The solution would be to apply the reverted patch mentioned above.
| description: | updated |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in iptables (Ubuntu): | |
| status: | New → Confirmed |
| Changed in iptables: | |
| status: | Unknown → Confirmed |
| Changed in iptables: | |
| status: | Confirmed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.