thr3ads.net - netfilter buglog - [Bug 606] New: Iptables-restore removing the wrong rules [Sep 2009]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.netfilter.org

2009-Sep-14 06:45 UTC

[Bug 606] New: Iptables-restore removing the wrong rules

http://bugzilla.netfilter.org/show_bug.cgi?id=606

           Summary: Iptables-restore removing the wrong rules
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: iptables-restore
        AssignedTo: laforge at netfilter.org
        ReportedBy: me at jacobsvensson.se


I'm having some troubles with a set of iptable rules. When setting the
sequence with iptables everything is fine, but if I'm using
iptables-restore, the wrong rules get removed at a certain point.
This is the smallest subset of rules that i have been able to find
that reproduce the problem.
As you can see, when trying to remove the rules ending with 60007, the
60009 are removed.

Looks like a bug, but perhaps I am just misunderstanding something?
I've been able to reproduce it on both 1.3.8 and 1.4.4 and on both mips and
x86.

-------------------------

user at user-laptop:~$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
test_POSTROUTING  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
test_OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain test_OUTPUT (1 references)
target     prot opt source               destination

Chain test_POSTROUTING (1 references)
target     prot opt source               destination
user at user-laptop:~$ sudo iptables-restore -n
*nat
-F
COMMIT
*mangle
-F
COMMIT
*nat
-X
COMMIT
*mangle
-X
COMMIT
*nat
-N test_POSTROUTING
-I POSTROUTING -j test_POSTROUTING
-N test_OUTPUT
-I OUTPUT -j test_OUTPUT
COMMIT
*mangle
-N test_POSTROUTING
-I POSTROUTING -j test_POSTROUTING
COMMIT
*nat
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5
--dport 40001 -j SNAT --to 192.168.1.1:60007
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5
--dport 50001 -j SNAT --to 10.76.50.70:60007
COMMIT
*mangle
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40000 -d 192.168.1.5
--dport 50000 -j DSCP --set-dscp 46
COMMIT
*nat
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5
--dport 40001 -j SNAT --to 192.168.1.1:60009
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5
--dport 50001 -j SNAT --to 10.76.50.70:60009
COMMIT
*nat
-D test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5
--dport 40001 -j SNAT --to 192.168.1.1:60007
-D test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5
--dport 50001 -j SNAT --to 10.76.50.70:60007
COMMIT
user at user-laptop:~$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
test_POSTROUTING  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
test_OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain test_OUTPUT (1 references)
target     prot opt source               destination

Chain test_POSTROUTING (1 references)
target     prot opt source               destination
SNAT       udp  --  192.168.1.5          192.168.1.5         udp
spt:40001 dpt:50001 to:10.76.50.70:60007
SNAT       udp  --  192.168.1.5          192.168.1.5         udp
spt:50001 dpt:40001 to:192.168.1.1:60007

----------------------------------

Best Regards
Jacob Svensson


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2009-Oct-25 10:47 UTC

head link

[Bug 606] Iptables-restore removing the wrong rules

http://bugzilla.netfilter.org/show_bug.cgi?id=606


jengelh at medozas.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|laforge at netfilter.org       |jengelh at medozas.de




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.

Maybe Matching Threads

Search for more possibly parallel threads

netfilter buglog - Sep 2009 - [Bug 606] New: Iptables-restore removing the wrong rules

[Bug 606] New: Iptables-restore removing the wrong rules

[Bug 606] Iptables-restore removing the wrong rules

Maybe Matching Threads