Ubuntu
iptables package

iptables-save duplicates all rules related to Linux bridges

Bug #1738403 reported by jean-christophe manciot
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Ubuntu 17.10
iptables 1.6.1-2ubuntu1

Before "iptables-save > /etc/iptables/rules.v4"
-----------------------------------------------
# cat iptables/rules.v4 | grep virbr0 | sort | uniq -c
     14 -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     14 -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
     14 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
     14 -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
     14 -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
     14 -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
     14 -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
     14 -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
     14 -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
     14 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
     33 -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
      1 -A ufw-user-input -i virbr0 -j ACCEPT
      1 -A ufw-user-output -o virbr0 -j ACCEPT

After "iptables-save > /etc/iptables/rules.v4"
----------------------------------------------
# cat iptables/rules.v4 | grep virbr0 | sort | uniq -c
     15 -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     15 -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
     15 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
     15 -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
     15 -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
     15 -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
     15 -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
     15 -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
     15 -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
     15 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
     34 -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
      1 -A ufw-user-input -i virbr0 -j ACCEPT
      1 -A ufw-user-output -o virbr0 -j ACCEPT

It looks like iptables-save is confused by virbrn entries and duplicates them each time it is run.

Revision history for this message
jean-christophe manciot (manciot-jeanchristophe) wrote :

It appears that this issue concerns all Linux bridges:

# cat iptables/rules.v4 | grep lxcbr0 | sort | uniq -c
      7 -A FORWARD -i lxcbr0 -j ACCEPT
      7 -A FORWARD -o lxcbr0 -j ACCEPT
      7 -A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
      7 -A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
      7 -A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
      7 -A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
     13 -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

summary: - iptables-save duplicates libvirt rules
+ iptables-save duplicates all rules related to Linux bridges
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iptables (Ubuntu):
status: New → Confirmed
Revision history for this message
Oibaf (oibaf) wrote :

Is this still an issue on a newer Ubuntu (22.04 or later)?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.