2024-05-27 11:49:36 |
Christoph Böhmwalder |
description |
In iptables 1.8.9, a regression was introduced that changes the behavior of the -n flag.
Previously, supplying -n would *not* display numerical values for the "prot" column of the -L output:
# iptables --version
iptables v1.8.7 (nf_tables)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
However, with the faulty patch, this changed to numerical values:
# iptables --version
iptables v1.8.9 (legacy)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
This breaks parsing in the resource-agents package, namely the portblock resource agent.
Parsing has since been relaxed in resource-agents: https://github.com/ClusterLabs/resource-agents/pull/1924 (released in resource-agents v4.14.0).
There is an upstream bug report:
https://bugzilla.netfilter.org/show_bug.cgi?id=1729
The offending commit was reverted upstream:
https://git.netfilter.org/iptables/commit/?id=34f085b1607364f4eaded1140060dcaf965a2649
But the revert has not been released yet.
Ubuntu Noble ships version 1.8.10 of iptables, which is still affected. The solution would be to apply the reverted patch mentioned above. |
In iptables 1.8.9, a regression was introduced that changes the behavior of the -n flag.
Previously, supplying -n would *not* display numerical values for the "prot" column of the -L output:
# iptables --version
iptables v1.8.7 (nf_tables)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
However, with the faulty patch, this changed to numerical values:
# iptables --version
iptables v1.8.9 (legacy)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
This breaks parsing in the resource-agents package, namely the portblock resource agent.
Parsing has since been relaxed in resource-agents: https://github.com/ClusterLabs/resource-agents/pull/1924 (released in resource-agents v4.14.0).
There is an upstream bug report:
https://bugzilla.netfilter.org/show_bug.cgi?id=1729
For reference, there is also a report with the Debian project: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067733
The offending commit was reverted upstream:
https://git.netfilter.org/iptables/commit/?id=34f085b1607364f4eaded1140060dcaf965a2649
But the revert has not been released yet.
Ubuntu Noble ships version 1.8.10 of iptables, which is still affected. The solution would be to apply the reverted patch mentioned above. |
|