iptables: regression in 1.8.9 with -n breaks portblock in resource-agents
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables |
Fix Released
|
Unknown
|
|||
iptables (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
In iptables 1.8.9, a regression was introduced that changes the behavior of the -n flag.
Previously, supplying -n would *not* display numerical values for the "prot" column of the -L output:
# iptables --version
iptables v1.8.7 (nf_tables)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
However, with the faulty patch, this changed to numerical values:
# iptables --version
iptables v1.8.9 (legacy)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
This breaks parsing in the resource-agents package, namely the portblock resource agent.
Parsing has since been relaxed in resource-agents: https:/
There is an upstream bug report:
https:/
For reference, there is also a report with the Debian project: https:/
The offending commit was reverted upstream:
https:/
But the revert has not been released yet.
Ubuntu Noble ships version 1.8.10 of iptables, which is still affected. The solution would be to apply the reverted patch mentioned above.
description: | updated |
Changed in iptables: | |
status: | Unknown → Confirmed |
Changed in iptables: | |
status: | Confirmed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.