827919 – iptables-restore corrupts --log-prefix settings

Bug 827919 - iptables-restore corrupts --log-prefix settings

Summary: iptables-restore corrupts --log-prefix settings

Keywords:
Status:	CLOSED DUPLICATE of bug 825796
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	iptables
Sub Component:
Version:	17
Hardware:	i686
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-03 18:21 UTC by rambler8
Modified:	2012-06-30 20:54 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-30 20:54:58 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description rambler8 2012-06-03 18:21:32 UTC

If an iptables rule uses the --log-prefix setting, the specified log-prefix is not used after saving and restarting, i.e.:

iptables-save > /etc/sysconfig/iptables
systemctl restart iptables.service

Instead the log prefix is set to "--log-prefix" rather than the configured value. 



Version-Release number of selected component (if applicable):
iptables-1.4.12.2-5.fc17.i686



How reproducible:
Always



Steps to Reproduce:
1. iptables -I INPUT -s 192.0.2.0/24 -j LOG --log-prefix "From Example.com:"
2. iptables-save > /etc/sysconfig/iptables
3. systemctl restart iptables.service
4. iptables -L | grep '192.0.2.0'



Actual results:
LOG all -- 192.0.2.0/24 anywhere LOG level warning prefix "--log-prefix"



Expected results:
LOG all -- 192.0.2.0/24 anywhere LOG level warning prefix "From Example.com:"



Additional Information:
After running iptables-save > /etc/sysconfig/iptables, the saved rule appears to be in the correct format, i.e.: 
-A INPUT -s 192.0.2.0/24 -j LOG --log-prefix "From Example.com:"

Comment 1 Andrew Haveland-Robinson 2012-06-14 01:19:45 UTC

I've also just encountered this problem with iptables-1.4.12.2-5.fc17.x86_64

More information, after running:
iptables-restore < /etc/sysconfig/iptables

and running this:
iptables -S | grep log-prefix

I get this:

-A CHAIN1 -j LOG --log-prefix --lo --log-level 6
-A CHAIN2 -j LOG --log-prefix --lo --log-level 6
...
-A CHAIN3 -j LOG --log-prefix --log-prefi --log-level 6
-A CHAIN4 -j LOG --log-prefix --log-pref --log-level 6

Corresponding lines in /etc/sysconfig/iptables:
-A CHAIN1 -j LOG --log-prefix "VN: " --log-level 6
-A CHAIN2 -j LOG --log-prefix "ZA: " --log-level 6
...
-A CHAIN3 -j LOG --log-prefix "MAIL_BLOCK:" --log-level 6
-A CHAIN4 -j LOG --log-prefix "MAIL_DROP:" --log-level 6

This shouldn't be difficult to fix - the faulty prefix name has the correct length, but seems to fetching from the wrong buffer location.

Annoying - I have too many rules to replace manually.
Would it be possible to make --line-numbers work with -S and not just with the unprocessable -L directive?
This way, one can search and replace rules more easily using grep and cut.

Comment 2 Peter Wu 2012-06-25 18:09:09 UTC

What compiler versions are you using? Using Arch Linux and gcc 4.7.1 on iptables 1.4.14, I get the same error. If I build with -O0, the bug goes away. -O1 and -O2 are both affected.

Comment 3 Peter Wu 2012-06-25 20:43:00 UTC

Patch available on http://bugzilla.netfilter.org/show_bug.cgi?id=774

Comment 4 Michael Schwendt 2012-06-30 20:54:58 UTC


*** This bug has been marked as a duplicate of bug 825796 ***

Note You need to log in before you can comment on or make changes to this bug.