[Bug 1074923] [NEW] iptables-save doesn't write --hex-string pattern correctly

Launchpad Bug Tracker 1074923 at bugs.launchpad.net
Mon Feb 25 15:53:39 UTC 2013 

You have been subscribed to a public bug by Marc Deslauriers (mdeslaur):

SRU Justification:

[Impact]

 * When somebody uses the --hex-string flag in iptables, the resulting
rule is invalid because of a spacing issue. This causes an invalid
configuration.

[Test Case]

 * $ sudo iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|"  --algo bm --to 65535 -j DROP
 * $ sudo iptables-save > rules
 * Inspect 'rules':
   '--hex-string"|ffffffff50|"' should be written as '--hex-string "|ffffffff50|"' (notice the space between string and "|)

[Regression Potential]

 * This patch is already upstream and in current iptables.
 * I've tested the packages with the patch, they build and fix the problem.

--

If your iptables contains rules that use --hex-string from string
module, example

iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|"
--algo bm --to 65535 -j DROP

and then you dump your iptables rules to a file with iptables-save, the
rule above will be written as

-A INPUT -i eth0 -p udp -m string --hex-string"|ffffffff50|"  --algo bm
--to 65535 -j DROP

Notice the absence of a required space before the hex-string pattern.
This also cause iptables-restore to complain about the rule being
invalid when importing the rules file and halt at the rule with error

This bug is reproduceable on both Precise (iptables 1.4.12-1ubuntu4) and
Quantal (1.4.12-2ubuntu2)

People that automatically restores their iptables rules at boot might
want to manually correct the rule in their firewall rules file if they
use --hex-string

** Affects: iptables (Ubuntu)
     Importance: Medium
         Status: Fix Released

** Affects: iptables (Ubuntu Precise)
     Importance: Medium
     Assignee: Chris J Arges (arges)
         Status: In Progress

** Affects: iptables (Ubuntu Quantal)
     Importance: Medium
     Assignee: Chris J Arges (arges)
         Status: In Progress

** Affects: iptables (Ubuntu Raring)
     Importance: Medium
         Status: Fix Released


** Tags: iptables iptables-restore iptables-save patch
-- 
iptables-save doesn't write  --hex-string pattern correctly
https://bugs.launchpad.net/bugs/1074923
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list