[Bug 1074923] Re: iptables-save doesn't write --hex-string pattern correctly

Chris J Arges 1074923 at bugs.launchpad.net
Wed Mar 20 16:41:50 UTC 2013 

I've verified that the package in proposed fixes bug 982961 and bug
1074923.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1074923

Title:
  iptables-save doesn't write  --hex-string pattern correctly

Status in “iptables” package in Ubuntu:
  Fix Released
Status in “iptables” source package in Precise:
  Fix Committed
Status in “iptables” source package in Quantal:
  In Progress
Status in “iptables” source package in Raring:
  Fix Released

Bug description:
  SRU Justification:

  [Impact]

   * When somebody uses the --hex-string flag in iptables, the resulting
  rule is invalid because of a spacing issue. This causes an invalid
  configuration.

  [Test Case]

   * $ sudo iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|"  --algo bm --to 65535 -j DROP
   * $ sudo iptables-save > rules
   * Inspect 'rules':
     '--hex-string"|ffffffff50|"' should be written as '--hex-string "|ffffffff50|"' (notice the space between string and "|)

  [Regression Potential]

   * This patch is already upstream and in current iptables.
   * I've tested the packages with the patch, they build and fix the problem.

  --

  If your iptables contains rules that use --hex-string from string
  module, example

  iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|"
  --algo bm --to 65535 -j DROP

  and then you dump your iptables rules to a file with iptables-save,
  the rule above will be written as

  -A INPUT -i eth0 -p udp -m string --hex-string"|ffffffff50|"  --algo
  bm --to 65535 -j DROP

  Notice the absence of a required space before the hex-string pattern.
  This also cause iptables-restore to complain about the rule being
  invalid when importing the rules file and halt at the rule with error

  This bug is reproduceable on both Precise (iptables 1.4.12-1ubuntu4)
  and Quantal (1.4.12-2ubuntu2)

  People that automatically restores their iptables rules at boot might
  want to manually correct the rule in their firewall rules file if they
  use --hex-string

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1074923/+subscriptions

More information about the Ubuntu-sponsors mailing list