This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours

Bug 827919

Summary: iptables-restore corrupts --log-prefix settings
Product: [Fedora] Fedora Reporter: rambler8
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: andy, bill, bugs.michael, jpopelka, lekensteyn, psabata, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-30 16:54:58 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description rambler8 2012-06-03 14:21:32 EDT
If an iptables rule uses the --log-prefix setting, the specified log-prefix is not used after saving and restarting, i.e.:

iptables-save > /etc/sysconfig/iptables
systemctl restart iptables.service

Instead the log prefix is set to "--log-prefix" rather than the configured value. 



Version-Release number of selected component (if applicable):
iptables-1.4.12.2-5.fc17.i686



How reproducible:
Always



Steps to Reproduce:
1. iptables -I INPUT -s 192.0.2.0/24 -j LOG --log-prefix "From Example.com:"
2. iptables-save > /etc/sysconfig/iptables
3. systemctl restart iptables.service
4. iptables -L | grep '192.0.2.0'



Actual results:
LOG all -- 192.0.2.0/24 anywhere LOG level warning prefix "--log-prefix"



Expected results:
LOG all -- 192.0.2.0/24 anywhere LOG level warning prefix "From Example.com:"



Additional Information:
After running iptables-save > /etc/sysconfig/iptables, the saved rule appears to be in the correct format, i.e.: 
-A INPUT -s 192.0.2.0/24 -j LOG --log-prefix "From Example.com:"
Comment 1 Andrew Haveland-Robinson 2012-06-13 21:19:45 EDT
I've also just encountered this problem with iptables-1.4.12.2-5.fc17.x86_64

More information, after running:
iptables-restore < /etc/sysconfig/iptables

and running this:
iptables -S | grep log-prefix

I get this:

-A CHAIN1 -j LOG --log-prefix --lo --log-level 6
-A CHAIN2 -j LOG --log-prefix --lo --log-level 6
...
-A CHAIN3 -j LOG --log-prefix --log-prefi --log-level 6
-A CHAIN4 -j LOG --log-prefix --log-pref --log-level 6

Corresponding lines in /etc/sysconfig/iptables:
-A CHAIN1 -j LOG --log-prefix "VN: " --log-level 6
-A CHAIN2 -j LOG --log-prefix "ZA: " --log-level 6
...
-A CHAIN3 -j LOG --log-prefix "MAIL_BLOCK:" --log-level 6
-A CHAIN4 -j LOG --log-prefix "MAIL_DROP:" --log-level 6

This shouldn't be difficult to fix - the faulty prefix name has the correct length, but seems to fetching from the wrong buffer location.

Annoying - I have too many rules to replace manually.
Would it be possible to make --line-numbers work with -S and not just with the unprocessable -L directive?
This way, one can search and replace rules more easily using grep and cut.
Comment 2 Peter Wu 2012-06-25 14:09:09 EDT
What compiler versions are you using? Using Arch Linux and gcc 4.7.1 on iptables 1.4.14, I get the same error. If I build with -O0, the bug goes away. -O1 and -O2 are both affected.
Comment 3 Peter Wu 2012-06-25 16:43:00 EDT
Patch available on http://bugzilla.netfilter.org/show_bug.cgi?id=774
Comment 4 Michael Schwendt 2012-06-30 16:54:58 EDT

*** This bug has been marked as a duplicate of bug 825796 ***