iptables-save doesn't write --hex-string pattern correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Chris J Arges | ||
Quantal |
Fix Released
|
Medium
|
Chris J Arges | ||
Raring |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Justification:
[Impact]
* When somebody uses the --hex-string flag in iptables, the resulting rule is invalid because of a spacing issue. This causes an invalid configuration.
[Test Case]
* $ sudo iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|" --algo bm --to 65535 -j DROP
* $ sudo iptables-save > rules
* Inspect 'rules':
'--hex-
[Regression Potential]
* This patch is already upstream and in current iptables.
* I've tested the packages with the patch, they build and fix the problem.
--
If your iptables contains rules that use --hex-string from string module, example
iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|" --algo bm --to 65535 -j DROP
and then you dump your iptables rules to a file with iptables-save, the rule above will be written as
-A INPUT -i eth0 -p udp -m string --hex-string"
Notice the absence of a required space before the hex-string pattern. This also cause iptables-restore to complain about the rule being invalid when importing the rules file and halt at the rule with error
This bug is reproduceable on both Precise (iptables 1.4.12-1ubuntu4) and Quantal (1.4.12-2ubuntu2)
People that automatically restores their iptables rules at boot might want to manually correct the rule in their firewall rules file if they use --hex-string
Status changed to 'Confirmed' because the bug affects multiple users.