Bug 55895 - iptables-save doesn't correctly save interface definitions that contain a +
iptables-save doesn't correctly save interface definitions that contain a +
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
Depends On:
  Show dependency treegraph
Reported: 2001-11-08 09:18 EST by Need Real Name
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-11-08 09:18:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-11-08 09:18:02 EST
Description of Problem:
iptables-save is unable to correctly save iptables rules that contain an
interface description that includes the '+' character. iptables itself
considers the interface description "eth+" to match "eth0", "eth1", "eth2",
etc., however, when iptables-save stores such a rule it merely inserts "-i
eth" which causes the rule to match no interfaces. There is no error
output, so user assumes everything worked and on the next reboot stands a
very good chance of not being able to access the machine remotely.

Version-Release number of selected component (if applicable):

How Reproducible:
The clearest demonstration I can think of would be to clear out clear out
all of the rules, set the default policy for the input chain to be DENY and
add the rule:

iptables -A INPUT -i eth+ -j ACCEPT

then do an iptables-save followed by an iptables-restore and try to connect
from a remote machine, it won't work. If you examine
/etc/sysconfig/iptables you will see for that rule that the line will read:

[0:0] -A INPUT -i eth -j ACCEPT

(or something similar). iptables-restore restores this rule faithfully and
tells iptables to match an interface named "eth", which of course doesn't
exist, so all packets will be ignored by this rule.
Comment 1 Bernhard Rosenkraenzer 2001-11-08 09:21:28 EST
Install the errata package released a couple of days ago.

Note You need to log in before you can comment on or make changes to this bug.