Bug 1657075 - iptables shouldn't accept negative realm values.
Summary: iptables shouldn't accept negative realm values.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iptables
Version: 7.6
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Phil Sutter
QA Contact: Jiri Peska
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-07 03:00 UTC by yiche
Modified: 2019-08-06 13:06 UTC (History)
4 users (show)

Fixed In Version: iptables-1.4.21-31.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-06 13:06:28 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2218 0 None None None 2019-08-06 13:06:36 UTC

Comment 4 Phil Sutter 2018-12-12 12:35:51 UTC
Should be fixed by backporting the following upstream commit:

commit 29b1d97764d1849651388d870565b3fa815a0bd8
Author: Serhey Popovych <serhe.popovych@gmail.com>
Date:   Thu Mar 1 13:03:11 2018 +0200

    xtables: Introduce and use common function to parse val[/mask] arguments
    There are a couple of places in both core and extensions where arguments
    in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32).
    In some cases symbolic name might be used which is mapped in code to
    numeric value.
    Introduce common function to handle both cases where value given is
    either val[/mask] or symbolic name.
    Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>

Comment 7 Phil Sutter 2019-04-03 19:43:46 UTC
Backport of the above commit caused a few conflicts. Looking at the missing
changes revealed that they are fixes to issues which can be reproduced on
RHEL7, so I decided to backport them as dependency (instead of adjusting the
original backport). The additional backports are:

    commit 93ad9ea1b86bdaacffd8e33654abcea3d4e148b2
    Author: Ana Rey <anarey@gmail.com>
    Date:   Thu Sep 18 13:06:42 2014 +0200

        extensions: libxt_devgroup: Fix the path of the group mappings file

        Use "/etc/iproute2/group" as the default path to the mapping file
        instead of "/etc/iproute2/group_map".

        Signed-off-by: Ana Rey <anarey@gmail.com>
        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

    commit 56aadc01b258ef7849463723ab5ddc4885db22f6
    Author: Serhey Popovych <serhe.popovych@gmail.com>
    Date:   Thu Mar 1 13:03:10 2018 +0200

        extensions: Initialize linear mapping of symbols in _init() of extension

        libxt_devgroup and libipt_realm currently unable to display symbolic
        names in save/print commands because linear mapping is not initialized.

        It looks bit confusing as linear mapping initialization is done in init()
        of extension, which is expected to be called before any other function of

        However init is called only when '-m' option specified on command line,
        that is true only for insert, append, replace and destroy iptables

        Move initialization to extension _init() function before calling
        any function in extension.

        ... src-group 0x1 dst-group 0x2
        ... src-group 0x2 dst-group 0x1

        ... src-group grp1 dst-group grp2
        ... src-group grp2 dst-group grp1

        Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
        Signed-off-by: Florian Westphal <fw@strlen.de>

In RHEL7, there is indeed /etc/iproute2/group and no /etc/iproute2/group_map.
Anyone trying to refer to a defined group in that file from devgroup match
(e.g. via '-m devgroup --src-group <name>') would get an error indicating the
group doesn't exist.

Comment 11 errata-xmlrpc 2019-08-06 13:06:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.