iptables-restore does not work properly when compiled with gcc-4.7

Bug #1027252 reported by Jamie Strandboge on 2012-07-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables
Fix Released
Medium
iptables (Ubuntu)
High
Jamie Strandboge

Bug Description

With the following test firewall:
# Start test file
*nat
:PREROUTING ACCEPT [2:150]
:INPUT ACCEPT [2:150]
:OUTPUT ACCEPT [9:588]
:POSTROUTING ACCEPT [9:588]
COMMIT
*mangle
:PREROUTING ACCEPT [93:393669]
:INPUT ACCEPT [93:393669]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:6633]
:POSTROUTING ACCEPT [69:6793]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[FOOBAR]"
COMMIT
# End test file

iptables-restore 1.4.12 compiled with gcc-4.7 does not add the INPUT rule. Eg:
$ cat /tmp/test.fw | sudo iptables-restore && sudo iptables-save | grep FOOBAR || echo "FAIL"
FAIL

However, iptables-restore 1.4.12 compiled with gcc-4.6 works fine. Eg:
$ cat /tmp/test.fw | sudo iptables-restore && sudo iptables-save | grep FOOBAR || echo "FAIL"
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[FOOBAR]"

Attached is a small script for testing (must run with sudo).

Related branches

Jamie Strandboge (jdstrand) wrote :
Changed in iptables (Ubuntu):
status: New → Confirmed
Changed in iptables (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables - 1.4.12-2ubuntu1

---------------
iptables (1.4.12-2ubuntu1) quantal; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - 9000-howtos.patch: add howtos/ and install them
    - 9001-Fixed-FTBS-by-copying-linux-types.h-from-linux-3.2.patch: Fix FTBS
      against linux 3.2 headers
    - 9002-libxt_recent-Add-support-for-reap-option.patch: add --reap support.
      Merge in changes from 1.4.12-1ubuntu4 into this patch
    - debian/control: Build-Depends on linuxdoc-tools
    - debian/iptables.install: install NAT and packetfilter howtos into
      /usr/share/doc
    - debian/iptables-dev.install: install netfilter howto into /usr/share/doc
    - debian/iptables-dev.doc-base.netfilter-extensions,
      debian/iptables-dev.doc-base.netfilter-hacking,
      debian/iptables.doc-base.nat, debian/iptables.doc-base.packet-filter: add
      howtos
  * Drop libipq support since it has been obsoleted in 3.5 and later kernels.
    Per upstream, users of libipq should transition to nfnetlink_queue (from
    libnfnetlink0) instead. (LP: #1020598)
    - debian/control: remove reference to libipq
    - debian/rules: compile with --disable-libipq
    - debian/iptables.lintian-overrides: remove reference to libipq0
    - debian/iptables-dev.install: remove usr/share/man/man3 only used with
      libipq manpages
    - dropped 9001-build-libipq_pic.la.patch, no longer required
  * 9003-lp1020490.patch: fix --ctproto 0 output (LP: #1020490)
  * 9004-argv-is-null.patch: ip(6)tables-restore: make sure argv is NULL
    terminated
  * debian/patches/9005-lp1027252-fixrestore.patch: fix iptables-restore with
    gcc-4.7 and -O1 or higher (LP: #1027252)

iptables (1.4.14-2) unstable; urgency=low

  * Added missing 1.4.13-1.1 NMU fix
 -- Jamie Strandboge <email address hidden> Fri, 20 Jul 2012 15:45:01 -0500

Changed in iptables (Ubuntu):
status: In Progress → Fix Released
Changed in iptables:
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.