[Bug 1074923] Re: iptables-save doesn't write --hex-string pattern correctly

Launchpad Bug Tracker 1074923 at bugs.launchpad.net
Thu Mar 21 03:43:11 UTC 2013 

This bug was fixed in the package iptables - 1.4.12-1ubuntu5

---------------
iptables (1.4.12-1ubuntu5) precise; urgency=low

  * Add debian/patches/0002-libxt_RATEEST-link-with-lm.patch and
     debian/patches/0003-libxt_statistic-link-with-lm.patch to fix broken
     RATEEST and statistic modules. (LP: #982961)
  * libxt_string: fix space around arguments. (LP: #1074923)
 -- Chris J Arges <chris.j.arges at ubuntu.com>   Thu, 28 Feb 2013 13:41:27 -0600

** Changed in: iptables (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1074923

Title:
  iptables-save doesn't write  --hex-string pattern correctly

Status in “iptables” package in Ubuntu:
  Fix Released
Status in “iptables” source package in Precise:
  Fix Released
Status in “iptables” source package in Quantal:
  In Progress
Status in “iptables” source package in Raring:
  Fix Released

Bug description:
  SRU Justification:

  [Impact]

   * When somebody uses the --hex-string flag in iptables, the resulting
  rule is invalid because of a spacing issue. This causes an invalid
  configuration.

  [Test Case]

   * $ sudo iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|"  --algo bm --to 65535 -j DROP
   * $ sudo iptables-save > rules
   * Inspect 'rules':
     '--hex-string"|ffffffff50|"' should be written as '--hex-string "|ffffffff50|"' (notice the space between string and "|)

  [Regression Potential]

   * This patch is already upstream and in current iptables.
   * I've tested the packages with the patch, they build and fix the problem.

  --

  If your iptables contains rules that use --hex-string from string
  module, example

  iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|"
  --algo bm --to 65535 -j DROP

  and then you dump your iptables rules to a file with iptables-save,
  the rule above will be written as

  -A INPUT -i eth0 -p udp -m string --hex-string"|ffffffff50|"  --algo
  bm --to 65535 -j DROP

  Notice the absence of a required space before the hex-string pattern.
  This also cause iptables-restore to complain about the rule being
  invalid when importing the rules file and halt at the rule with error

  This bug is reproduceable on both Precise (iptables 1.4.12-1ubuntu4)
  and Quantal (1.4.12-2ubuntu2)

  People that automatically restores their iptables rules at boot might
  want to manually correct the rule in their firewall rules file if they
  use --hex-string

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1074923/+subscriptions

More information about the Ubuntu-sponsors mailing list