Hide Forgot
+++ This bug was initially created as a clone of Bug #1749698 +++ Seems like iptables-restore parser is buggy: # iptables -A FORWARD -m comment --comment "-t foo bar" -j ACCEPT # iptables-save >/tmp/ipt.dump # grep -v '^#' /tmp/ipt.dump *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -m comment --comment "-t foo bar" -j ACCEPT COMMIT # iptables-restore </tmp/ipt.dump iptables-nft-restore v1.8.3 (nf_tables): The -t option (seen in line 7) cannot be used in iptables-nft-restore. Error occurred at line: 7 Try `iptables-nft-restore -h' or 'iptables-nft-restore --help' for more information. The Problem is consistent with upstream and happens with legacy as well as nft variant. RHEL7 iptables-1.4.21-28.el7.x86_64 is reported to work correctly, so this is a regression.
Correction: The actual bug (and regression) is rejecting of comments starting with dash and having a 't' somewhere, not '-t' itself (this was never allowed). A testcase for this is: | *filter | -A FORWARD -m comment --comment "- allow this" -j ACCEPT | COMMIT Fix sent upstream: https://lore.kernel.org/netfilter-devel/20190920154920.7927-1-phil@nwl.cc/T/#u
Any plan and timeline to release the fix in RHEL/CentOS 7.7 updates?
Hi Jun Wang, (In reply to Jun Wang from comment #3) > Any plan and timeline to release the fix in RHEL/CentOS 7.7 updates? Sorry, no. Upstream hasn't accepted the patch yet, so I can't make any estimate regarding downstream. Cheers, Phil
Upstream commit to backport: commit 3dc433b55bbfaf9df3ee408aaa6282742f377864 Author: Phil Sutter <phil@nwl.cc> Date: Fri Sep 20 17:31:58 2019 +0200 xtables-restore: Fix --table parameter check Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Florian Westphal <fw@strlen.de>
Dear all, is there any proceedings about this one since last month? Thanks in advance, Cisco.
Hi Francisco, (In reply to Francisco Peralta from comment #9) > Dear all, > is there any proceedings about this one since last month? No, there is no progress since last month, but that is expected. The fix will be shipped along with RHEL7.8. Cheers, Phil
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1174