Bug 828660 - iptables-restore problem with ruleset parsing
iptables-restore problem with ruleset parsing
Status: CLOSED DUPLICATE of bug 825796
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
17
i386 Linux
unspecified Severity high
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-05 03:03 EDT by Thomas Bartschies
Modified: 2012-07-18 10:13 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-18 10:13:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
iptables rules with comments and patch for iptables-restore.c (20.59 KB, application/force-download)
2012-06-05 03:03 EDT, Thomas Bartschies
no flags Details

  None (edit)
Description Thomas Bartschies 2012-06-05 03:03:12 EDT
Created attachment 589404 [details]
iptables rules with comments and patch for iptables-restore.c

Description of problem:
iptables-restore doesn't correctly reimport rules, that are previously saved by
using iptables-save. If a rule contains quotes for enclosing a comment or an ulog prefix, the content within the quotes is ignored and the previous parameter is duplicated instead. Stripping the quotes prevents the problem, but if you have a string that contains spaces this is not solution.

Version-Release number of selected component (if applicable):
iptables 1.4.12.2-2

How reproducible:
Set rules that contain either -m comment --comment "comment comment comment" or
set ulog rules that contain an --ulog-prefix "prefix prefix".

Steps to Reproduce:
1. Set the rules
2. iptables-save somefile
3. iptables-restore somefile
4. Check the rules by using iptables -L -n <-t sometable>
  
Actual results:
All Rules containing quotes and using them in context with --ulog-prefix have --ulog-prefix set as the actual comment.

Expected results:
Prefixes and Comments correctly set.

Additional info:
I've compiled iptables with debugging and found that a specific instruction or more isn't executed. File iptables-restore.c contains a loop for rule parsing and a part of that is specific for handling quoted strings.

I've attached an excerpt of our firewall rule sets containing such problematic
statements and a patch showing the problematic statements in iptables-restore.
This patch also contains a workaround that seems to cure the problem. From my tests I suspect a compiler optimization problem. The assignment in the block from line 393 on is never executed unless you replace it with a function call or add another one like a fprintf for debugging.
Comment 1 S. Yoder 2012-06-08 14:08:18 EDT
Confirming above, but have not tested patch yet. Also happening with --log-prefix if there are quotes.

Example:
 * Set as: iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment "Ignore bootpc" -j DROP
 * Saved as: -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment "Ignore bootpc" -j DROP
 * Restored as:
   ** iptables -L INPUT -n: DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 PKTTYPE = broadcast /* --comment */
   ** iptables -S INPUT: -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment --comment -j DROP

Workaround I've found is to not use quotes (if possible). For example:
* Set as: iptables -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment bootpc -j DROP
* Saved as: -A INPUT -p udp -m udp --sport 68 --dport 67 -m pkttype --pkt-type broadcast -m comment --comment bootpc -j DROP
* Restored as:
  ** iptables -L INPUT -n: DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67 PKTTYPE = broadcast /* bootpc */

However, saving could add quotes - such as for --log-prefix. Manually editing /etc/sysconfig/iptables & ip6tables to remove the quotes does result in a proper restore. Example:
 * Set as: iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix DROP: --log-level 7
 * Saved as: -A INPUT -m limit --limit 5/min -j LOG --log-prefix "DROP:" --log-level 7
 * Edited to: -A INPUT -m limit --limit 5/min -j LOG --log-prefix DROP: --log-level 7
 * Restored as:
  ** iptables -L INPUT -n: LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "DROP:"
Comment 2 Thomas Bartschies 2012-06-08 16:19:49 EDT
Removing the quotes is unfortnately not an option for me. The comments and so the quotes are actually generated by the shorewall firewall we're using. And yes, shorewall inserts blanks in some of the comments. So patching shorewall for removing the quotes is also not an option.

IMHO a higher priority has that gcc obviously generates broken code here. I'm wondering what other F17 are affected by this.
Comment 4 Michael Schwendt 2012-06-30 16:58:29 EDT
> Also happening with --log-prefix if there are quotes.

That would be bug 825796 according to http://bugz.fedoraproject.org/iptables
Comment 5 Thomas Woerner 2012-07-18 10:13:55 EDT

*** This bug has been marked as a duplicate of bug 825796 ***

Note You need to log in before you can comment on or make changes to this bug.