Red Hat Bugzilla – Bug 55895
iptables-save doesn't correctly save interface definitions that contain a +
Last modified: 2008-05-01 11:38:01 EDT
Description of Problem:
iptables-save is unable to correctly save iptables rules that contain an
interface description that includes the '+' character. iptables itself
considers the interface description "eth+" to match "eth0", "eth1", "eth2",
etc., however, when iptables-save stores such a rule it merely inserts "-i
eth" which causes the rule to match no interfaces. There is no error
output, so user assumes everything worked and on the next reboot stands a
very good chance of not being able to access the machine remotely.
Version-Release number of selected component (if applicable):
The clearest demonstration I can think of would be to clear out clear out
all of the rules, set the default policy for the input chain to be DENY and
add the rule:
iptables -A INPUT -i eth+ -j ACCEPT
then do an iptables-save followed by an iptables-restore and try to connect
from a remote machine, it won't work. If you examine
/etc/sysconfig/iptables you will see for that rule that the line will read:
[0:0] -A INPUT -i eth -j ACCEPT
(or something similar). iptables-restore restores this rule faithfully and
tells iptables to match an interface named "eth", which of course doesn't
exist, so all packets will be ignored by this rule.
Install the errata package released a couple of days ago.