Bug 50990 - iptables-save uses incorrect syntax for negated TOS match
iptables-save uses incorrect syntax for negated TOS match
Product: Red Hat Public Beta
Classification: Retired
Component: iptables (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
Depends On:
  Show dependency treegraph
Reported: 2001-08-06 03:51 EDT by Ben Liblit
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-08-06 18:41:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ben Liblit 2001-08-06 03:51:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.7 i586)

Description of problem:
The proper syntax for a negated TOS match is "iptables ... -m tos ! --tos
<value>".  However, when iptables-save saves such a rule, it instead uses
"iptables ... -m tos --tos !<value>".  Note that the exclamation point has
moved.  Subsequent uses of iptables-restore will fail because the saved
syntax is incorrect.

How reproducible:

Steps to Reproduce:
Issue the following commands as root:

	# service iptables stop
	# iptables -t mangle -A OUTPUT -m tos ! --tos 0
	# service iptables save
	# service iptables start

Actual Results:  The final "service iptables start" command yields the
following output:

	Flushing all current rules and user defined chains:        [  OK  ]
	Clearing all current rules and user defined chains:        [  OK  ]
	Applying iptables firewall rules:                          [  OK  ]
	iptables-restore v1.2.2: Bad TOS value `!Normal-Service'
	Try `iptables-restore -h' or 'iptables-restore --help' for more

Expected Results:  "service iptables start" should have completed without
error, and the saved rule should have been restored properly.  To verify
proper restoration, issue the command "iptables -t nat -L OUTPUT".  You
should see the following:

	Chain OUTPUT (policy ACCEPT)
	target     prot opt source               destination         
	           all  --  anywhere             anywhere           TOS match

Note the "!".

Additional info:
Comment 1 Glen Foster 2001-08-06 18:41:00 EDT
We (Red Hat) should try to fix this for the next release.
Comment 2 Bernhard Rosenkraenzer 2001-08-27 08:54:11 EDT
Fixed in 1.2.2-4

Note You need to log in before you can comment on or make changes to this bug.