Bug 456244 - TOS field error
Summary: TOS field error
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 9
Hardware: i386
OS: Linux
low
low
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-22 13:52 UTC by Oleg Aprotskiy
Modified: 2008-09-11 17:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-11 16:59:49 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
My iptables config file (835 bytes, application/octet-stream)
2008-07-24 19:20 UTC, Oleg Aprotskiy 		no flags Details
View All

Description Oleg Aprotskiy 2008-07-22 13:52:35 UTC 
Description of problem:
Problem with table MANGLE and TOS on old format of iprables.sav
1. I have in iptables.sav:
-A POSTROUTING -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-
mark 21
-A POSTROUTING -m mark --mark 0 -j MARK --set-mark 22
2. Make: # iptables-restore < iptables.sav
3. At /etc/sysconfig/iptables:
-A POSTROUTING -m tos --tos 0x08/0x3f -m mark --mark 0x0 -j MARK --set-xmark 
0x15/0xffffffff 
-A POSTROUTING -m mark --mark 0x0 -j MARK --set-xmark 0x16/0xffffffff 

When iptables restart or reload (service iptables restart) there is error:

iptables: Applying firewall rules: iptables-restore v1.4.1.1: Symbolic name 
"0x08/0x3f" is unknown


Version-Release number of selected component (if applicable):
Name        : iptables
Version     : 1.4.1.1
Release     : 1.fc9
Comment 1 Oleg Aprotskiy 2008-07-22 14:20:03 UTC 
When I load my rules and execute iptables-save, I saw:
-A POSTROUTING -A POSTROUTING -A POSTROUTING -m tos --tos 0x08/0xff -A 
POSTROUTING -m tos --tos 0x08/0xff -A POSTROUTING -m tos --tos 0x08/0xff -m 
mark --mark 0x0 -j MARK -A POSTROUTING -m tos --tos 0x08/0xff -m mark --mark 
0x0 -j MARK -A POSTROUTING -m tos --tos 0x08/0xff -m mark --mark 0x0 -j MARK -A 
POSTROUTING -m tos --tos 0x08/0xff -m mark --mark 0x0 -j MARK -A POSTROUTING -m 
tos --tos 0x08/0xff -m mark --mark 0x0 -j MARK --set-xmark 0x15/0xffffffff 
-A POSTROUTING -m mark --mark 0x0 -j MARK --set-xmark 0x16/0xffffffff
Comment 2 Fedora Update System 2008-07-23 12:30:39 UTC 
iptables-1.4.1.1-2.fc9 has been submitted as an update for Fedora 9
Comment 3 Fedora Update System 2008-07-23 12:31:16 UTC 
iptables-1.4.1.1-2.fc8 has been submitted as an update for Fedora 8
Comment 4 Oleg Aprotskiy 2008-07-23 13:24:35 UTC 
iptables-1.4.1.1-2.fc9.i386

1. Don't work iptables-restore:
# iptables-restore --verbose < iptables
iptables-restore v1.4.1.1: iptables-restore: unable to initialize table 'mangle'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2. 
# iptables-restore v1.4.1.1: iptables-restore: unable to initialize table 
'filter'

Error occurred at line: 78
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

3. Don't work iptables-save:
# iptables-save
iptables-save v1.4.1.1: Unable to open /proc/net/ip_tables_names: No such file 
or directory
Comment 5 Oleg Aprotskiy 2008-07-23 13:30:13 UTC 
Problem was when iptables start without any rules
Comment 6 Thomas Woerner 2008-07-23 13:36:29 UTC 
Could it be that you are not root or that there are no netfilter kernel modules
(maybe after kernel update)?
Comment 7 Oleg Aprotskiy 2008-07-23 14:05:44 UTC 
(In reply to comment #6)
> Could it be that you are not root or that there are no netfilter kernel 
modules
> (maybe after kernel update)?

no, user - root.
Problem was when theare is no file /etc/sysconfig/iptables, in other case - all 
works.
Comment 8 Oleg Aprotskiy 2008-07-23 14:06:18 UTC 
+ I have: kernel-2.6.25.10-86.fc9.i686
Comment 9 Thomas Woerner 2008-07-23 14:22:56 UTC 
Ok, please attach the iptables file you have restored with iptables-restore.
Comment 10 Thomas Woerner 2008-07-24 13:39:46 UTC 
This is a SElinux problem. If you set SELinux in permissive mode (setenforce 0),
it is working.
Comment 11 Oleg Aprotskiy 2008-07-24 19:20:22 UTC 
Created attachment 312588 [details]
My iptables config file
Comment 12 Oleg Aprotskiy 2008-07-24 19:42:14 UTC 
All good work, but there is problem with selinux, when I try to save config 
with iptables-save

# iptables-save > /root/iptables.sav

host=sun.fedoramd.org type=AVC msg=audit(1216928239.430:553): avc: denied 
{ write } for pid=30553 comm="iptables-save" path="/root/iptables.sav" dev=dm-1 
ino=358424 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file 

host=sun.fedoramd.org type=SYSCALL msg=audit(1216928239.430:553): arch=40000003 
syscall=11 success=yes exit=0 a0=8437b80 a1=83a5b80 a2=842f970 a3=0 items=0 
ppid=29773 pid=30553 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts3 ses=1 comm="iptables-save" exe="/sbin/iptables-save" 
subj=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 key=(null) 

-rw-r--r--  root root unconfined_u:object_r:user_home_t /root/iptables.sav

P.S. restorecon /root/iptables.sav don't help me.
Comment 13 Fedora Update System 2008-07-30 20:02:36 UTC 
iptables-1.4.1.1-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update iptables'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6795
Comment 14 Fedora Update System 2008-09-11 16:59:45 UTC 
iptables-1.4.1.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-09-11 17:14:42 UTC 
iptables-1.4.1.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.