Bug 456244 - TOS field error
TOS field error
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
9
i386 Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-22 09:52 EDT by Oleg Aprotskiy
Modified: 2008-09-11 13:14 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-11 12:59:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
My iptables config file (835 bytes, application/octet-stream)
2008-07-24 15:20 EDT, Oleg Aprotskiy
no flags Details

  None (edit)
Description Oleg Aprotskiy 2008-07-22 09:52:35 EDT
Description of problem:
Problem with table MANGLE and TOS on old format of iprables.sav
1. I have in iptables.sav:
-A POSTROUTING -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-
mark 21
-A POSTROUTING -m mark --mark 0 -j MARK --set-mark 22
2. Make: # iptables-restore < iptables.sav
3. At /etc/sysconfig/iptables:
-A POSTROUTING -m tos --tos 0x08/0x3f -m mark --mark 0x0 -j MARK --set-xmark 
0x15/0xffffffff 
-A POSTROUTING -m mark --mark 0x0 -j MARK --set-xmark 0x16/0xffffffff 

When iptables restart or reload (service iptables restart) there is error:

iptables: Applying firewall rules: iptables-restore v1.4.1.1: Symbolic name 
"0x08/0x3f" is unknown


Version-Release number of selected component (if applicable):
Name        : iptables
Version     : 1.4.1.1
Release     : 1.fc9
Comment 1 Oleg Aprotskiy 2008-07-22 10:20:03 EDT
When I load my rules and execute iptables-save, I saw:
-A POSTROUTING -A POSTROUTING -A POSTROUTING -m tos --tos 0x08/0xff -A 
POSTROUTING -m tos --tos 0x08/0xff -A POSTROUTING -m tos --tos 0x08/0xff -m 
mark --mark 0x0 -j MARK -A POSTROUTING -m tos --tos 0x08/0xff -m mark --mark 
0x0 -j MARK -A POSTROUTING -m tos --tos 0x08/0xff -m mark --mark 0x0 -j MARK -A 
POSTROUTING -m tos --tos 0x08/0xff -m mark --mark 0x0 -j MARK -A POSTROUTING -m 
tos --tos 0x08/0xff -m mark --mark 0x0 -j MARK --set-xmark 0x15/0xffffffff 
-A POSTROUTING -m mark --mark 0x0 -j MARK --set-xmark 0x16/0xffffffff 
Comment 2 Fedora Update System 2008-07-23 08:30:39 EDT
iptables-1.4.1.1-2.fc9 has been submitted as an update for Fedora 9
Comment 3 Fedora Update System 2008-07-23 08:31:16 EDT
iptables-1.4.1.1-2.fc8 has been submitted as an update for Fedora 8
Comment 4 Oleg Aprotskiy 2008-07-23 09:24:35 EDT
iptables-1.4.1.1-2.fc9.i386

1. Don't work iptables-restore:
# iptables-restore --verbose < iptables
iptables-restore v1.4.1.1: iptables-restore: unable to initialize table 'mangle'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2. 
# iptables-restore v1.4.1.1: iptables-restore: unable to initialize table 
'filter'

Error occurred at line: 78
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

3. Don't work iptables-save:
# iptables-save
iptables-save v1.4.1.1: Unable to open /proc/net/ip_tables_names: No such file 
or directory

Comment 5 Oleg Aprotskiy 2008-07-23 09:30:13 EDT
Problem was when iptables start without any rules
Comment 6 Thomas Woerner 2008-07-23 09:36:29 EDT
Could it be that you are not root or that there are no netfilter kernel modules
(maybe after kernel update)?
Comment 7 Oleg Aprotskiy 2008-07-23 10:05:44 EDT
(In reply to comment #6)
> Could it be that you are not root or that there are no netfilter kernel 
modules
> (maybe after kernel update)?

no, user - root.
Problem was when theare is no file /etc/sysconfig/iptables, in other case - all 
works.
Comment 8 Oleg Aprotskiy 2008-07-23 10:06:18 EDT
+ I have: kernel-2.6.25.10-86.fc9.i686
Comment 9 Thomas Woerner 2008-07-23 10:22:56 EDT
Ok, please attach the iptables file you have restored with iptables-restore.
Comment 10 Thomas Woerner 2008-07-24 09:39:46 EDT
This is a SElinux problem. If you set SELinux in permissive mode (setenforce 0),
it is working.
Comment 11 Oleg Aprotskiy 2008-07-24 15:20:22 EDT
Created attachment 312588 [details]
My iptables config file
Comment 12 Oleg Aprotskiy 2008-07-24 15:42:14 EDT
All good work, but there is problem with selinux, when I try to save config 
with iptables-save

# iptables-save > /root/iptables.sav

host=sun.fedoramd.org type=AVC msg=audit(1216928239.430:553): avc: denied 
{ write } for pid=30553 comm="iptables-save" path="/root/iptables.sav" dev=dm-1 
ino=358424 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file 

host=sun.fedoramd.org type=SYSCALL msg=audit(1216928239.430:553): arch=40000003 
syscall=11 success=yes exit=0 a0=8437b80 a1=83a5b80 a2=842f970 a3=0 items=0 
ppid=29773 pid=30553 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts3 ses=1 comm="iptables-save" exe="/sbin/iptables-save" 
subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null) 

-rw-r--r--  root root unconfined_u:object_r:user_home_t /root/iptables.sav

P.S. restorecon /root/iptables.sav don't help me.
Comment 13 Fedora Update System 2008-07-30 16:02:36 EDT
iptables-1.4.1.1-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update iptables'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6795
Comment 14 Fedora Update System 2008-09-11 12:59:45 EDT
iptables-1.4.1.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-09-11 13:14:42 EDT
iptables-1.4.1.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.