Bug 969060 - iptables-save saves with syntax error (missing space in hashlimit match)
iptables-save saves with syntax error (missing space in hashlimit match)
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iptables (Show other bugs)
5.9
All Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Thomas Woerner
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-30 10:59 EDT by mailinglists
Modified: 2017-04-04 16:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-04 16:41:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to fix missing trailing space in hashlimit iptables-save output (562 bytes, patch)
2013-07-24 11:13 EDT, Trevor Hemsley
no flags Details | Diff

  None (edit)
Description mailinglists 2013-05-30 10:59:51 EDT
Description of problem:
iptables-save fails to generate /etc/sysconfig/iptables correctly.

Version-Release number of selected component (if applicable):
5.9

How reproducible:
always

Steps to Reproduce:
1. Create a rule like:
iptables -t mangle -A somechain -m hashlimit --hashlimit 100/sec --hashlimit-burst 7168 --hashlimit-mode srcip,dstip --hashlimit-name limitDDOSout --hashlimit-htable-gcinterval 1500 --hashlimit-htable-expire 3000 -j ACCEPT
2. stop iptables and do iptables-save
3. start iptables -> FAIL.

Actual results:
iptables fails to load

Expected results:
load rules it perviously saved

Actual example from:
https://oblak2.isg.si/f/095fa90c4a/

[root@fw5 sysconfig]# cat iptables-config | grep SAVE | grep yes
IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"
IPTABLES_SAVE_COUNTER="yes"
[root@fw5 sysconfig]# /etc/init.d/iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: mangle                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
[root@fw5 sysconfig]# iptables -t mangle -n -L | grep htable
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 100/sec burst 7168 mode srcip-dstip htable-gcinterval 1500 htable-expire 3000 
[root@fw5 sysconfig]# cat iptables | grep htable
-A LIMITERout -m hashlimit --hashlimit 100/sec --hashlimit-burst 7168 --hashlimit-mode srcip,dstip --hashlimit-name limitDDOSout --hashlimit-htable-gcinterval 1500 --hashlimit-htable-expire 3000 -j ACCEPT 
[root@fw5 sysconfig]# /etc/init.d/iptables stop
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter nat raw mangle     [  OK  ]
Unloading iptables modules:                                [  OK  ]
[root@fw5 sysconfig]# cat iptables | grep htable
[168882:190765625] -A LIMITERout -m hashlimit --hashlimit 100/sec --hashlimit-burst 7168 --hashlimit-mode srcip,dstip --hashlimit-name limitDDOSout --hashlimit-htable-gcinterval 1500--hashlimit-htable-expire 3000 -j ACCEPT 
[root@fw5 sysconfig]# /etc/init.d/iptables start
Applying iptables firewall rules: iptables-restore v1.3.5: bad --hashlimit-htable-gcinterval: `1500--hashlimit-htable-expire'
Error occurred at line: 85
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FAILED]
Comment 1 mailinglists 2013-06-13 04:00:44 EDT
Seems like the same bug, except it's was already fixed:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1074923

When can we expect the fix for this in RH?
Comment 2 mailinglists 2013-07-24 10:01:27 EDT
Any progress?

Seems like it's been reported a while ago in fedora too:
https://bugzilla.redhat.com/show_bug.cgi?id=673277
Comment 3 mailinglists 2013-07-24 10:38:52 EDT
The bug seems to be:
TrevorH1: yes, this bug is in extensions/libipt_hashlimit.c and in the routine "save()" it is missing a space at the end of the printf
as TrevorH1 reported on #CentOS.

I've downloaded and compiled v1.4.19.1. That version works perfectly:

[root@fw6 iptables]# ./xtables-multi iptables-save | grep hashlimit 
-A LIMITERout -m hashlimit --hashlimit 100/sec --hashlimit-burst 7168 --hashlimit-mode srcip,dstip --hashlimit-name limitDDOSout --hashlimit-htable-gcinterval 1500 --hashlimit-htable-expire 3000 -j ACCEPT
Comment 4 Trevor Hemsley 2013-07-24 11:13:51 EDT
Created attachment 777839 [details]
Patch to fix missing trailing space in hashlimit iptables-save output

Without patch the output from iptables-save is

-A INPUT -m hashlimit --hashlimit 100/sec --hashlimit-burst 7168 --hashlimit-mode srcip,dstip --hashlimit-name limitDDOSout --hashlimit-htable-gcinterval 1500--hashlimit-htable-expire 3000 -j ACCEPT

with the patch

-A INPUT -m hashlimit --hashlimit 100/sec --hashlimit-burst 7168 --hashlimit-mode srcip,dstip --hashlimit-name limitDDOSout --hashlimit-htable-gcinterval 1500 --hashlimit-htable-expire 3000 -j ACCEPT

Notice the missing space between 1500 and --hashlimit-htable-expire in the first example.
Comment 5 RHEL Product and Program Management 2014-03-07 08:38:18 EST
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 6 mailinglists 2014-03-07 09:38:53 EST
I see:
Flags: needinfo?
What more info is needed?
You have examples and even a proposed patch:
https://bugzilla.redhat.com/attachment.cgi?id=777839&action=diff
Comment 7 Ondrej Vasik 2014-06-25 17:17:51 EDT
I'm sorry, but Red Hat Enterprise Linux 5 is in production phase 3 (see https://access.redhat.com/site/support/policy/updates/errata/ ) - thus only critial and security issues are addressed .
Unfortunately, this was not raised through product support - support portal at access.redhat.com . If this issue is critical for you, please escalate it through the support, otherwise this will not get addressed in RHEL 5.
Comment 8 mailinglists 2014-06-26 07:05:18 EDT
When i submitted this bug RHEL5 was not in phase 3.
It does not matter to me, because by now, i have build my own packages including this fix. However I guess, that RH does not care about its costumers, for not to include this simple fix, with patch already provided.
Comment 9 Chris Williams 2017-04-04 16:41:31 EDT
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exits Production Phase 3 and enters Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  The specific support and services provided during each phase are described in detail at http://redhat.com/rhel/lifecycle

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.