Ubuntu
iptables package

physdev options cannot be inverted

Bug #1042260 reported by José A. Calvo
48
This bug affects 11 people
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Precise
Won't Fix
Undecided
Unassigned
Quantal
Fix Released
Undecided
Jamie Strandboge

Bug Description

[Impact]
This is a regression on iptables 1.4.12 (the one in precise) not allowing to invert options like ! --physdev-is-bridged. This affects at least zentyal-network, as it introduces these kind of rules when configuring a bridged network interface.

[Fix]
This is already fixed in 1.4.13. Also, you can find attached the patch extracted from the iptables GIT repository.

[Test Case]

[Regression Potential]

See original description

Related branches

lp:ubuntu/quantal/iptables
Revision history for this message
José A. Calvo (jacalvo) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iptables (Ubuntu):
status: New → Confirmed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "physdev_allow_invert.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Micah Gersten (micahg)
tags: added: precise quantal regression-release
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the pointer to this fix. Since it sounds like we may want to SRU this to precise, could you also provide a step-by-step test case and a discussion of the level of regression risk this patch may have?

description: updated
description: updated
Changed in iptables (Ubuntu Precise):
status: New → Incomplete
Jamie Strandboge (jdstrand)
Changed in iptables (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This should be an ok test case:
$ for exe in iptables ip6tables ; do sudo $exe -N testme 2>/dev/null ; sudo $exe -A INPUT -j testme ; sudo $exe -A testme -m physdev ! --physdev-is-in ! --physdev-is-out ! --physdev-is-bridged ; done
iptables v1.4.12: physdev: option "--physdev-is-in" cannot be inverted.

Try `iptables -h' or 'iptables --help' for more information.
ip6tables v1.4.12: physdev: option "--physdev-is-in" cannot be inverted.

Try `ip6tables -h' or 'ip6tables --help' for more information.

Fixed:
$ for exe in iptables ip6tables ; do sudo $exe -N testme 2>/dev/null ; sudo $exe -A INPUT -j testme ; sudo $exe -A testme -m physdev ! --physdev-is-in ! --physdev-is-out ! --physdev-is-bridged ; done
$

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables - 1.4.12-2ubuntu2

---------------
iptables (1.4.12-2ubuntu2) quantal; urgency=low

  * debian/patches/9006-lp1042260-fix-add-inverted-physdev.patch: add back
    inverted option for --physdev-is-in, --physdev-is-out and
    --physdev-is-bridged (LP: #1042260)
 -- Jamie Strandboge <email address hidden> Mon, 17 Sep 2012 17:10:24 -0500

Changed in iptables (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Removing ubuntu-sponsors for now. If someone wants to add a debdiff for 12.04, please resubscribe.

Revision history for this message
Claudio Bley (cbley) wrote :

I can confirm this problem on precise, with iptables 1.4.12-1ubuntu5

Changed in iptables (Ubuntu Precise):
status: Incomplete → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in iptables (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.