Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 65245 - ip6tables-save output incorrect
ip6tables-save output incorrect
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: wdovlrrw
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2002-05-20 16:25 EDT by Need Real Name
Modified: 2007-04-18 12:42 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-01-13 16:53:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch against iptables 1.2.5 from Red Hat (1.95 KB, patch)
2002-10-18 12:27 EDT, Michael Schwendt
no flags Details | Diff

  None (edit)
Description Need Real Name 2002-05-20 16:25:42 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417

Description of problem:
'ip6tables-save' yields the following output:

# Generated by ip6tables-save v1.2.5 on Mon May 20 14:13:16 2002
:INPUT ACCEPT [32:3072]
-A INPUT -s ::/0 -d ::/0 -i eth0 -p tcp -m tcp --dport 22 SYN/SYN,ACK,URG-j ACCEPT
-A INPUT -s ::/0 -d ::/0 -i eth0 -p tcp -m tcp --dport 993 SYN/SYN,ACK,URG-j ACCEPT
-A INPUT -s ::/0 -d ::/0 -i eth0 -p tcp -m tcp SYN/SYN-j DROP
-A INPUT -s ::/0 -d ::/0 -i eth0 -p udp -j DROP
# Completed on Mon May 20 14:13:16 2002

There are two apparent problems (which ip6tables-restore complains about):

1. No space between the TCP flags and -j
2. No switch to specify beginning of TCP flags

Below is the output from 'ip6tables -L -n'
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp      ::/0                 ::/0               tcp dpt:22
ACCEPT     tcp      ::/0                 ::/0               tcp dpt:993
DROP       tcp      ::/0                 ::/0               tcp flags:0x02/0x02
DROP       udp      ::/0                 ::/0

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. /sbin/ip6tables -A INPUT -i eth0 -p tcp --syn -j DROP
2. /sbin/ip6tables-save

Actual Results:  ip6tables-save generates invalid output

Expected Results:  ip6tables-save should always generate something that
iptables-restore can read

Additional info:

Comment 1 Michael Schwendt 2002-10-18 12:27:40 EDT
Created attachment 80948 [details]
patch against iptables 1.2.5 from Red Hat
Comment 2 Michael Schwendt 2002-10-18 12:28:18 EDT
This is fixed in 1.2.7a and could be backported to 1.2.5. See if attached patch
fixes it for you.

Comment 3 Bill Nottingham 2003-01-13 16:53:22 EST
fixed in 1.2.7a-1.

Note You need to log in before you can comment on or make changes to this bug.