In iptables 1.8.9, a regression was introduced that changes the behavior of the -n flag.
Previously, supplying -n would *not* display numerical values for the "prot" column of the -L output:
# iptables --version iptables v1.8.7 (nf_tables)
# iptables -nL Chain LIBVIRT_OUT (1 references) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
However, with the faulty patch, this changed to numerical values:
# iptables --version iptables v1.8.9 (legacy)
# iptables -nL Chain LIBVIRT_OUT (1 references) target prot opt source destination ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
This breaks parsing in the resource-agents package, namely the portblock resource agent. Parsing has since been relaxed in resource-agents: https://github.com/ClusterLabs/resource-agents/pull/1924 (released in resource-agents v4.14.0).
There is an upstream bug report: https://bugzilla.netfilter.org/show_bug.cgi?id=1729
The offending commit was reverted upstream: https://git.netfilter.org/iptables/commit/?id=34f085b1607364f4eaded1140060dcaf965a2649
But the revert has not been released yet.
Ubuntu Noble ships version 1.8.10 of iptables, which is still affected. The solution would be to apply the reverted patch mentioned above.
In iptables 1.8.9, a regression was introduced that changes the behavior of the -n flag.
Previously, supplying -n would *not* display numerical values for the "prot" column of the -L output:
# iptables --version
iptables v1.8.7 (nf_tables)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
However, with the faulty patch, this changed to numerical values:
# iptables --version
iptables v1.8.9 (legacy)
# iptables -nL
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
This breaks parsing in the resource-agents package, namely the portblock resource agent. /github. com/ClusterLabs /resource- agents/ pull/1924 (released in resource-agents v4.14.0).
Parsing has since been relaxed in resource-agents: https:/
There is an upstream bug report: /bugzilla. netfilter. org/show_ bug.cgi? id=1729
https:/
The offending commit was reverted upstream: /git.netfilter. org/iptables/ commit/ ?id=34f085b1607 364f4eaded11400 60dcaf965a2649
https:/
But the revert has not been released yet.
Ubuntu Noble ships version 1.8.10 of iptables, which is still affected. The solution would be to apply the reverted patch mentioned above.