+++ This bug was initially created as a clone of Bug #1749698 +++
Seems like iptables-restore parser is buggy:
# iptables -A FORWARD -m comment --comment "-t foo bar" -j ACCEPT
# iptables-save >/tmp/ipt.dump
# grep -v '^#' /tmp/ipt.dump
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -m comment --comment "-t foo bar" -j ACCEPT
# iptables-restore </tmp/ipt.dump
iptables-nft-restore v1.8.3 (nf_tables): The -t option (seen in line 7) cannot be used in iptables-nft-restore.
Error occurred at line: 7
Try `iptables-nft-restore -h' or 'iptables-nft-restore --help' for more information.
The Problem is consistent with upstream and happens with legacy as well as nft
variant. RHEL7 iptables-1.4.21-28.el7.x86_64 is reported to work correctly, so
this is a regression.
Correction: The actual bug (and regression) is rejecting of comments starting
with dash and having a 't' somewhere, not '-t' itself (this was never allowed).
A testcase for this is:
| -A FORWARD -m comment --comment "- allow this" -j ACCEPT
Fix sent upstream: https://email@example.com/T/#u
Any plan and timeline to release the fix in RHEL/CentOS 7.7 updates?
Hi Jun Wang,
(In reply to Jun Wang from comment #3)
> Any plan and timeline to release the fix in RHEL/CentOS 7.7 updates?
Sorry, no. Upstream hasn't accepted the patch yet, so I can't make any estimate regarding downstream.
Upstream commit to backport:
Author: Phil Sutter <firstname.lastname@example.org>
Date: Fri Sep 20 17:31:58 2019 +0200
xtables-restore: Fix --table parameter check
Xtables-restore tries to reject rule commands in input which contain a
--table parameter (since it is adding this itself based on the previous
table line). The manual check was not perfect though as it caught any
parameter starting with a dash and containing a 't' somewhere, even in
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
Instead of error-prone manual checking, go a much simpler route: All
do_command callbacks are passed a boolean indicating they're called from
*tables-restore. React upon this when handling a table parameter and
error out if it's not the first one.
Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter <email@example.com>
Acked-by: Florian Westphal <firstname.lastname@example.org>
is there any proceedings about this one since last month?
Thanks in advance,
(In reply to Francisco Peralta from comment #9)
> Dear all,
> is there any proceedings about this one since last month?
No, there is no progress since last month, but that is expected. The fix will be shipped along with RHEL7.8.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.