iptables-restore does not work properly when compiled with gcc-4.7
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables |
Fix Released
|
Medium
|
|||
iptables (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
With the following test firewall:
# Start test file
*nat
:PREROUTING ACCEPT [2:150]
:INPUT ACCEPT [2:150]
:OUTPUT ACCEPT [9:588]
:POSTROUTING ACCEPT [9:588]
COMMIT
*mangle
:PREROUTING ACCEPT [93:393669]
:INPUT ACCEPT [93:393669]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:6633]
:POSTROUTING ACCEPT [69:6793]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[FOOBAR]"
COMMIT
# End test file
iptables-restore 1.4.12 compiled with gcc-4.7 does not add the INPUT rule. Eg:
$ cat /tmp/test.fw | sudo iptables-restore && sudo iptables-save | grep FOOBAR || echo "FAIL"
FAIL
However, iptables-restore 1.4.12 compiled with gcc-4.6 works fine. Eg:
$ cat /tmp/test.fw | sudo iptables-restore && sudo iptables-save | grep FOOBAR || echo "FAIL"
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[FOOBAR]"
Attached is a small script for testing (must run with sudo).
Related branches
Changed in iptables (Ubuntu): | |
status: | Confirmed → Triaged |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | Triaged → In Progress |
Changed in iptables: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
This bug was fixed in the package iptables - 1.4.12-2ubuntu1
---------------
iptables (1.4.12-2ubuntu1) quantal; urgency=low
* Merge from Debian unstable. Remaining changes: FTBS-by- copying- linux-types. h-from- linux-3. 2.patch: Fix FTBS recent- Add-support- for-reap- option. patch: add --reap support. iptables. install: install NAT and packetfilter howtos into usr/share/ doc iptables- dev.install: install netfilter howto into /usr/share/doc iptables- dev.doc- base.netfilter- extensions, iptables- dev.doc- base.netfilter- hacking, iptables. doc-base. nat, debian/ iptables. doc-base. packet- filter: add iptables. lintian- overrides: remove reference to libipq0 iptables- dev.install: remove usr/share/man/man3 only used with libipq_ pic.la. patch, no longer required patch: fix --ctproto 0 output (LP: #1020490) is-null. patch: ip(6)tables- restore: make sure argv is NULL patches/ 9005-lp1027252- fixrestore. patch: fix iptables-restore with
- 9000-howtos.patch: add howtos/ and install them
- 9001-Fixed-
against linux 3.2 headers
- 9002-libxt_
Merge in changes from 1.4.12-1ubuntu4 into this patch
- debian/control: Build-Depends on linuxdoc-tools
- debian/
/
- debian/
- debian/
debian/
debian/
howtos
* Drop libipq support since it has been obsoleted in 3.5 and later kernels.
Per upstream, users of libipq should transition to nfnetlink_queue (from
libnfnetlink0) instead. (LP: #1020598)
- debian/control: remove reference to libipq
- debian/rules: compile with --disable-libipq
- debian/
- debian/
libipq manpages
- dropped 9001-build-
* 9003-lp1020490.
* 9004-argv-
terminated
* debian/
gcc-4.7 and -O1 or higher (LP: #1027252)
iptables (1.4.14-2) unstable; urgency=low
* Added missing 1.4.13-1.1 NMU fix
-- Jamie Strandboge <email address hidden> Fri, 20 Jul 2012 15:45:01 -0500