bugzilla-daemon at bugzilla.netfilter.org
2009-Sep-14 06:45 UTC
[Bug 606] New: Iptables-restore removing the wrong rules
http://bugzilla.netfilter.org/show_bug.cgi?id=606 Summary: Iptables-restore removing the wrong rules Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P1 Component: iptables-restore AssignedTo: laforge at netfilter.org ReportedBy: me at jacobsvensson.se I'm having some troubles with a set of iptable rules. When setting the sequence with iptables everything is fine, but if I'm using iptables-restore, the wrong rules get removed at a certain point. This is the smallest subset of rules that i have been able to find that reproduce the problem. As you can see, when trying to remove the rules ending with 60007, the 60009 are removed. Looks like a bug, but perhaps I am just misunderstanding something? I've been able to reproduce it on both 1.3.8 and 1.4.4 and on both mips and x86. ------------------------- user at user-laptop:~$ sudo iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination test_POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination test_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain test_OUTPUT (1 references) target prot opt source destination Chain test_POSTROUTING (1 references) target prot opt source destination user at user-laptop:~$ sudo iptables-restore -n *nat -F COMMIT *mangle -F COMMIT *nat -X COMMIT *mangle -X COMMIT *nat -N test_POSTROUTING -I POSTROUTING -j test_POSTROUTING -N test_OUTPUT -I OUTPUT -j test_OUTPUT COMMIT *mangle -N test_POSTROUTING -I POSTROUTING -j test_POSTROUTING COMMIT *nat -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5 --dport 40001 -j SNAT --to 192.168.1.1:60007 -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5 --dport 50001 -j SNAT --to 10.76.50.70:60007 COMMIT *mangle -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40000 -d 192.168.1.5 --dport 50000 -j DSCP --set-dscp 46 COMMIT *nat -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5 --dport 40001 -j SNAT --to 192.168.1.1:60009 -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5 --dport 50001 -j SNAT --to 10.76.50.70:60009 COMMIT *nat -D test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5 --dport 40001 -j SNAT --to 192.168.1.1:60007 -D test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5 --dport 50001 -j SNAT --to 10.76.50.70:60007 COMMIT user at user-laptop:~$ sudo iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination test_POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination test_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain test_OUTPUT (1 references) target prot opt source destination Chain test_POSTROUTING (1 references) target prot opt source destination SNAT udp -- 192.168.1.5 192.168.1.5 udp spt:40001 dpt:50001 to:10.76.50.70:60007 SNAT udp -- 192.168.1.5 192.168.1.5 udp spt:50001 dpt:40001 to:192.168.1.1:60007 ---------------------------------- Best Regards Jacob Svensson -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Oct-25 10:47 UTC
[Bug 606] Iptables-restore removing the wrong rules
http://bugzilla.netfilter.org/show_bug.cgi?id=606 jengelh at medozas.de changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|laforge at netfilter.org |jengelh at medozas.de -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- [Bug 707] New: Trivial SNAT manpage error
- [Bug 589] New: MARK doesn't work properly with incoming traffic
- DNAT not working after changing BIND to use views
- [Bug 1227] New: Current conntrack state isn't considered when evaluating multiple SNAT rules
- [Bug 747] New: IPtables marked packets not being inpsected in NAT table.