Red Hat Bugzilla – Bug 26998
initscript runs iptables-restore with bad command-line flags
Last modified: 2007-04-18 12:31:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (Win95; U)
In its "start" handler, the iptables initscript runs iptables-restore with "-p" and "-f" on the command line. Neither of these flags is recognized by
the iptables-restore executable.
Steps to Reproduce:
1. Set up an iptables-using kernel.
2. Install a trivial rule: "iptables -A INPUT -j ACCEPT"
3. Save the tables: "service iptables save"
4. Clear out the tables: "service iptables stop"
5. Try to reload the tables: "service iptables start"
Actual Results: Observed diagnostic output:
/sbin/iptables-restore: invalid option -- p
/sbin/iptables-restore: invalid option -- f
Bad argument `[336:46265]'
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Expected Results: Error-free execution of the initscript, with faithful restoration of all chains.
Notice that after the command-line flag complaints, iptables-restore prints an additional "Bad argument" error message. This suggests that
there are additional, deeper problems with iptables-restore's handling of the saved /etc/sysconfig/iptables file format.
The iptables initscript in the actual "fisher" public beta contains a scrambled mix of iptables and ipchains commands, and therefore is so
broken that you probably won't even be able to walk through the steps listed above. The Rawhide script is slightly better, and you should be
able to follow the steps listed above provided that you have first manually fixed bug #26997.
The high-level summary of that bug report and this one is: as recently as iptables-1.2.0-6, the initscript is badly broken in several ways, a fact
that will be quite obvious to anyone actually using the scripts.