From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417 Description of problem: 'ip6tables-save' yields the following output: # Generated by ip6tables-save v1.2.5 on Mon May 20 14:13:16 2002 *filter :INPUT ACCEPT [32:3072] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s ::/0 -d ::/0 -i eth0 -p tcp -m tcp --dport 22 SYN/SYN,ACK,URG-j ACCEPT -A INPUT -s ::/0 -d ::/0 -i eth0 -p tcp -m tcp --dport 993 SYN/SYN,ACK,URG-j ACCEPT -A INPUT -s ::/0 -d ::/0 -i eth0 -p tcp -m tcp SYN/SYN-j DROP -A INPUT -s ::/0 -d ::/0 -i eth0 -p udp -j DROP COMMIT # Completed on Mon May 20 14:13:16 2002 There are two apparent problems (which ip6tables-restore complains about): 1. No space between the TCP flags and -j 2. No switch to specify beginning of TCP flags Below is the output from 'ip6tables -L -n' Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp ::/0 ::/0 tcp dpt:22 flags:0x32/0x02 ACCEPT tcp ::/0 ::/0 tcp dpt:993 flags:0x32/0x02 DROP tcp ::/0 ::/0 tcp flags:0x02/0x02 DROP udp ::/0 ::/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. /sbin/ip6tables -A INPUT -i eth0 -p tcp --syn -j DROP 2. /sbin/ip6tables-save 3. Actual Results: ip6tables-save generates invalid output Expected Results: ip6tables-save should always generate something that iptables-restore can read Additional info: iptables-ipv6-1.2.5-3
Created attachment 80948 [details] patch against iptables 1.2.5 from Red Hat
This is fixed in 1.2.7a and could be backported to 1.2.5. See if attached patch fixes it for you.
fixed in 1.2.7a-1.