From Bugzilla Helper: User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.7 i586) Description of problem: The proper syntax for a negated TOS match is "iptables ... -m tos ! --tos <value>". However, when iptables-save saves such a rule, it instead uses "iptables ... -m tos --tos !<value>". Note that the exclamation point has moved. Subsequent uses of iptables-restore will fail because the saved syntax is incorrect. How reproducible: Always Steps to Reproduce: Issue the following commands as root: # service iptables stop # iptables -t mangle -A OUTPUT -m tos ! --tos 0 # service iptables save # service iptables start Actual Results: The final "service iptables start" command yields the following output: Flushing all current rules and user defined chains: [ OK ] Clearing all current rules and user defined chains: [ OK ] Applying iptables firewall rules: [ OK ] iptables-restore v1.2.2: Bad TOS value `!Normal-Service' Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED] Expected Results: "service iptables start" should have completed without error, and the saved rule should have been restored properly. To verify proper restoration, issue the command "iptables -t nat -L OUTPUT". You should see the following: Chain OUTPUT (policy ACCEPT) target prot opt source destination all -- anywhere anywhere TOS match !Normal-Service Note the "!". Additional info:
We (Red Hat) should try to fix this for the next release.
Fixed in 1.2.2-4