Red Hat Bugzilla – Bug 77337
Save/Restore IPTables with negative mac matches
Last modified: 2007-04-18 12:48:10 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: When defining IPTables Rules with a negative MAC match (ie -m mac ! --mac xx:xx:xx:xx:xx:xx) and they are save via the Red Hat Init Script the iptables- save script writes the negative mac match to /etc/sysconfig/iptables and forgets a space between the "!" (NOT) and the actual MAC address. When trying to restore the rules the "iptales-restore" script exits with a "Bad mac address" error. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Add a rule like the following: iptables -A FORWARD -m mac ! --mac 00:00:00:00:00:00 -j DROP 2. Save the rule: /etc/init.d/iptables save 3. Try to reload the rules: /etc/init.d/iptables restart Actual Results: IPTables rules can not be restored from /etc/sysconfig/iptables Rules are empty... Expected Results: Iptables rules should have been set. Additional info: Output: Applying iptables firewall rules: iptables-restore v1.2.6a: Bad mac address '! 00:00:00:00:00:00' Try 'iptables-restore -h' or 'iptables-restore --help' for more information. -------------------------- Because of this bug IPTables are empty when trying to restore, so I think this is severe. Bug exists at least since Red Hat 7.2 (introduction of iptables) -------------------------- Solution: I wrote a dirty perl hack that checks the /etc/sysconfig/iptables for negative mac matches and adds a space between the ! and the mac address.
Created attachment 83865 [details] fix for 1.2.6a and 1.2.7a
Btw, the patch applies against 1.2.5 (e.g. Red Hat Linux 7.3), too, with offset 1 line.
Tested against 1.2.6a: works!
This one is fixed as of 1.2.7a-1 in Raw Hide (with a more recent patch).
Should this be closed then? Reassigning to new owner.
Yes, resolution is CURRENTRELEASE.