Bug 828660

Summary: iptables-restore problem with ruleset parsing
Product: [Fedora] Fedora Reporter: Thomas Bartschies <tom>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: bugs.michael, frank, jpopelka, lekensteyn, psabata, twoerner, yodersj
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-18 14:13:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
iptables rules with comments and patch for iptables-restore.c none

Description Thomas Bartschies 2012-06-05 07:03:12 UTC 
Created attachment 589404 [details]
iptables rules with comments and patch for iptables-restore.c

Description of problem:
iptables-restore doesn't correctly reimport rules, that are previously saved by
using iptables-save. If a rule contains quotes for enclosing a comment or an ulog prefix, the content within the quotes is ignored and the previous parameter is duplicated instead. Stripping the quotes prevents the problem, but if you have a string that contains spaces this is not solution.

Version-Release number of selected component (if applicable):
iptables 1.4.12.2-2

How reproducible:
Set rules that contain either -m comment --comment "comment comment comment" or
set ulog rules that contain an --ulog-prefix "prefix prefix".

Steps to Reproduce:
1. Set the rules
2. iptables-save somefile
3. iptables-restore somefile
4. Check the rules by using iptables -L -n <-t sometable>
  
Actual results:
All Rules containing quotes and using them in context with --ulog-prefix have --ulog-prefix set as the actual comment.

Expected results:
Prefixes and Comments correctly set.

Additional info:
I've compiled iptables with debugging and found that a specific instruction or more isn't executed. File iptables-restore.c contains a loop for rule parsing and a part of that is specific for handling quoted strings.

I've attached an excerpt of our firewall rule sets containing such problematic
statements and a patch showing the problematic statements in iptables-restore.
This patch also contains a workaround that seems to cure the problem. From my tests I suspect a compiler optimization problem. The assignment in the block from line 393 on is never executed unless you replace it with a function call or add another one like a fprintf for debugging.
Comment 1 S. Yoder 2012-06-08 18:08:18 UTC 
Confirming above, but have not tested patch yet. Also happening with --log-prefix if there are quotes.

Example:
 * Set as: iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment "Ignore bootpc" -j DROP
 * Saved as: -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment "Ignore bootpc" -j DROP
 * Restored as:
   ** iptables -L INPUT -n: DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 PKTTYPE = broadcast /* --comment */
   ** iptables -S INPUT: -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment --comment -j DROP

Workaround I've found is to not use quotes (if possible). For example:
* Set as: iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment bootpc -j DROP
* Saved as: -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment bootpc -j DROP
* Restored as:
  ** iptables -L INPUT -n: DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 PKTTYPE = broadcast /* bootpc */

However, saving could add quotes - such as for --log-prefix. Manually editing /etc/sysconfig/iptables & ip6tables to remove the quotes does result in a proper restore. Example:
 * Set as: iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix DROP: --log-level 7
 * Saved as: -A INPUT -m limit --limit 5/min -j LOG --log-prefix "DROP:" --log-level 7
 * Edited to: -A INPUT -m limit --limit 5/min -j LOG --log-prefix DROP: --log-level 7
 * Restored as:
  ** iptables -L INPUT -n: LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "DROP:"
Comment 2 Thomas Bartschies 2012-06-08 20:19:49 UTC 
Removing the quotes is unfortnately not an option for me. The comments and so the quotes are actually generated by the shorewall firewall we're using. And yes, shorewall inserts blanks in some of the comments. So patching shorewall for removing the quotes is also not an option.

IMHO a higher priority has that gcc obviously generates broken code here. I'm wondering what other F17 are affected by this.
Comment 3 Peter Wu 2012-06-25 21:02:06 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=827919
Comment 4 Michael Schwendt 2012-06-30 20:58:29 UTC 
> Also happening with --log-prefix if there are quotes.

That would be bug 825796 according to http://bugz.fedoraproject.org/iptables
Comment 5 Thomas Woerner 2012-07-18 14:13:55 UTC 

*** This bug has been marked as a duplicate of bug 825796 ***