Red Hat Bugzilla – Bug 50990
iptables-save uses incorrect syntax for negated TOS match
Last modified: 2008-05-01 11:38:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.7 i586)
Description of problem:
The proper syntax for a negated TOS match is "iptables ... -m tos ! --tos
<value>". However, when iptables-save saves such a rule, it instead uses
"iptables ... -m tos --tos !<value>". Note that the exclamation point has
moved. Subsequent uses of iptables-restore will fail because the saved
syntax is incorrect.
Steps to Reproduce:
Issue the following commands as root:
# service iptables stop
# iptables -t mangle -A OUTPUT -m tos ! --tos 0
# service iptables save
# service iptables start
Actual Results: The final "service iptables start" command yields the
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying iptables firewall rules: [ OK ]
iptables-restore v1.2.2: Bad TOS value `!Normal-Service'
Try `iptables-restore -h' or 'iptables-restore --help' for more
Expected Results: "service iptables start" should have completed without
error, and the saved rule should have been restored properly. To verify
proper restoration, issue the command "iptables -t nat -L OUTPUT". You
should see the following:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere TOS match
Note the "!".
We (Red Hat) should try to fix this for the next release.
Fixed in 1.2.2-4