Ubuntu
iptables package

iptables-save/-restore does not restore empty tables

Bug #1104362 reported by aeva black
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

iptables-save does not print tables which have not had any rules in them, and if that state is recorded and passed to iptables-restore, it will not clear those tables.

Here is a log showing how to reproduce this:
   http://paste.openstack.org/show/29809/

Suggested fix: iptables-save should print all tables, all the time.

---------------------
Reference info

stack@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.10
Release: 12.10
Codename: quantal

stack@ubuntu:~$ apt-cache policy iptables
iptables:
  Installed: 1.4.12-2ubuntu2
  Candidate: 1.4.12-2ubuntu2
  Version table:
 *** 1.4.12-2ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ quantal/main i386 Packages
        100 /var/lib/dpkg/status

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iptables (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. This appears to be by design (and one which I agree with)-- ie, if there are no rules in the table, there is nothing to restore and therefore nothing to save. In your paste, you should run iptables-save after adding your mangle rule, but you would want to do this even if iptables-save recorded an empty table, because iptables-restore would not have the new mangle rule anyway. Note that iptables-save and iptables-restore are useful tools, but very lowlevel. There is a lot of logic that must be accounted for if trying to use this in a user-friendly manner, which is why tools such as ufw and shorewall exist.

I am going to mark this as "Won't Fix" for now. This is not something we want to diverge from upstream on. I suggest that if you strongly feel this should be changed, that you file a bug with upstream (see http://www.netfilter.org/contact.html#bugzilla).

Changed in iptables (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.