Ubuntu

iptables-save doesn't write --hex-string pattern correctly

Reported by Amir on 2012-11-04
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
Medium
Unassigned
Precise
Medium
Chris J Arges
Quantal
Medium
Chris J Arges
Raring
Medium
Unassigned

Bug Description

SRU Justification:

[Impact]

 * When somebody uses the --hex-string flag in iptables, the resulting rule is invalid because of a spacing issue. This causes an invalid configuration.

[Test Case]

 * $ sudo iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|" --algo bm --to 65535 -j DROP
 * $ sudo iptables-save > rules
 * Inspect 'rules':
   '--hex-string"|ffffffff50|"' should be written as '--hex-string "|ffffffff50|"' (notice the space between string and "|)

[Regression Potential]

 * This patch is already upstream and in current iptables.
 * I've tested the packages with the patch, they build and fix the problem.

--

If your iptables contains rules that use --hex-string from string module, example

iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|" --algo bm --to 65535 -j DROP

and then you dump your iptables rules to a file with iptables-save, the rule above will be written as

-A INPUT -i eth0 -p udp -m string --hex-string"|ffffffff50|" --algo bm --to 65535 -j DROP

Notice the absence of a required space before the hex-string pattern. This also cause iptables-restore to complain about the rule being invalid when importing the rules file and halt at the rule with error

This bug is reproduceable on both Precise (iptables 1.4.12-1ubuntu4) and Quantal (1.4.12-2ubuntu2)

People that automatically restores their iptables rules at boot might want to manually correct the rule in their firewall rules file if they use --hex-string

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iptables (Ubuntu):
status: New → Confirmed
Chris J Arges (arges) wrote :

Debian-Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637499
Upstream-Bug: http://bugzilla.netfilter.org/show_bug.cgi?id=739
Looks like it affects P/Q/R series in Ubuntu.
Patch is in upstream bug.

Changed in iptables (Ubuntu Precise):
assignee: nobody → Chris J Arges (arges)
Changed in iptables (Ubuntu Quantal):
assignee: nobody → Chris J Arges (arges)
Changed in iptables (Ubuntu Precise):
importance: Undecided → Medium
status: New → In Progress
Changed in iptables (Ubuntu Raring):
importance: Undecided → Medium
status: Confirmed → In Progress
Chris J Arges (arges) wrote :

A raring sync from debian sid has the proper code with this fix.
However P/Q should have http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commitdiff;h=3716dfd7eac3afa7fb3098952550e510c8df0220.

Changed in iptables (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → Medium
Chris J Arges (arges) wrote :
Chris J Arges (arges) wrote :
Chris J Arges (arges) wrote :

Ok I have verified these fix both P/Q versions.

Chris J Arges (arges) on 2013-02-19
description: updated

The attachment "fix_iptables_precise_lp1074923.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Marc Deslauriers (mdeslaur) wrote :

Debdiffs look good, ACK.

I uploaded the same fix to Raring, Quantal-proposed, Precise-proposed, and have subscribed the SRU team for processing.

Thanks!

Changed in iptables (Ubuntu Raring):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables - 1.4.12-2ubuntu5

---------------
iptables (1.4.12-2ubuntu5) raring; urgency=low

  * libxt_string: fix space around arguments. (LP: #1074923)
 -- Chris J Arges <email address hidden> Mon, 18 Feb 2013 18:19:12 -0600

Changed in iptables (Ubuntu Raring):
status: Fix Committed → Fix Released
Chris J Arges (arges) wrote :

@mdeslaur
Thanks for doing the raring debdiff and sponsoring.

Whoopie (whoopie79) wrote :

As there was already an upload in the unapproved queue, I merged both uploads and also reverted the changes made by debian-changes-1.4.12-1ubuntu4.

Please find attached the debdiff.

Hello amir, or anyone else affected,

Accepted iptables into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/iptables/1.4.12-1ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in iptables (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Chris J Arges (arges) wrote :

I've verified that the package in proposed fixes bug 982961 and bug 1074923.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables - 1.4.12-1ubuntu5

---------------
iptables (1.4.12-1ubuntu5) precise; urgency=low

  * Add debian/patches/0002-libxt_RATEEST-link-with-lm.patch and
     debian/patches/0003-libxt_statistic-link-with-lm.patch to fix broken
     RATEEST and statistic modules. (LP: #982961)
  * libxt_string: fix space around arguments. (LP: #1074923)
 -- Chris J Arges <email address hidden> Thu, 28 Feb 2013 13:41:27 -0600

Changed in iptables (Ubuntu Precise):
status: Fix Committed → Fix Released
Iain Lane (laney) wrote :

Unsubscribing sponsors - fix is in q-proposed queue

Hello amir, or anyone else affected,

Accepted iptables into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/iptables/1.4.12-2ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in iptables (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Sebastien Bacher (seb128) wrote :

verified using the version in quantal-proposed, the space is correctly added to the string

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables - 1.4.12-2ubuntu2.2

---------------
iptables (1.4.12-2ubuntu2.2) quantal-proposed; urgency=low

  * libxt_string: fix space around arguments. (LP: #1074923)
 -- Chris J Arges <email address hidden> Mon, 18 Feb 2013 18:19:12 -0600

Changed in iptables (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.