Bug 55895 - iptables-save doesn't correctly save interface definitions that contain a +
Summary: iptables-save doesn't correctly save interface definitions that contain a +
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2001-11-08 14:18 UTC by Need Real Name
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-11-08 14:18:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Need Real Name 2001-11-08 14:18:02 UTC
Description of Problem:
iptables-save is unable to correctly save iptables rules that contain an
interface description that includes the '+' character. iptables itself
considers the interface description "eth+" to match "eth0", "eth1", "eth2",
etc., however, when iptables-save stores such a rule it merely inserts "-i
eth" which causes the rule to match no interfaces. There is no error
output, so user assumes everything worked and on the next reboot stands a
very good chance of not being able to access the machine remotely.

Version-Release number of selected component (if applicable):

How Reproducible:
The clearest demonstration I can think of would be to clear out clear out
all of the rules, set the default policy for the input chain to be DENY and
add the rule:

iptables -A INPUT -i eth+ -j ACCEPT

then do an iptables-save followed by an iptables-restore and try to connect
from a remote machine, it won't work. If you examine
/etc/sysconfig/iptables you will see for that rule that the line will read:

[0:0] -A INPUT -i eth -j ACCEPT

(or something similar). iptables-restore restores this rule faithfully and
tells iptables to match an interface named "eth", which of course doesn't
exist, so all packets will be ignored by this rule.

Comment 1 Bernhard Rosenkraenzer 2001-11-08 14:21:28 UTC
Install the errata package released a couple of days ago.

Note You need to log in before you can comment on or make changes to this bug.