netfilter buglog - Jan 2013 - [Bug 805] New: osf iptables[-save] errors

http://bugzilla.netfilter.org/show_bug.cgi?id=805

           Summary: osf iptables[-save] errors
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: blackhole at airpost.net
   Estimated Hours: 0.0


Hello NF Team,


#1:

# $IPTABLES -A FOO -p tcp -m osf --genre Windows --ttl 1 --log 1
# $IPTABLES -S FOO
-N FOO
-A FOO -p tcp -m tcp -m osf --genre Windows

tested with:
kernel: 3.2.35 & 3.7.1
iptables: 1.4.16.3


iptables -[L|S] and iptables-save seem to miss the --ttl and --log options.
Therefore on restore, those settings get omitted. 

------------------

#2:

# $IPTABLES -A FOO -p tcp -m osf ! --genre Windows
# $IPTABLES -S FOO
-N FOO
-A FOO -p tcp -m osf --genre ! Windows

interpolated negation is not used, thus restore with iptables-save fails.

------------------

#3:

Loading a ruleset, that uses the osf match, with iptables-save, without having
the fingerprints loaded with nfnl_osf, results in an unspecified error at the
very last COMMIT line. Giving no clue about the reason for the error.

------------------

#4:

Two mutual exclusive rules like:
-m osf --genre Windows
-m osf ! --genre Windows

always both match (return true - have equal counters).

------------------

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=805

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |pablo at netfilter.org
         Resolution|                            |FIXED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-03-24
11:36:49 CET ---
> iptables -[L|S] and iptables-save seem to miss the --ttl and --log options.
> Therefore on restore, those settings get omitted. 
http://patchwork.ozlabs.org/patch/230423/
> interpolated negation is not used, thus restore with iptables-save fails.
http://patchwork.ozlabs.org/patch/230424/
> Loading a ruleset, that uses the osf match, with iptables-save, without
having
> the fingerprints loaded with nfnl_osf, results in an unspecified error at
the
> very last COMMIT line. Giving no clue about the reason for the error.
This is not easy to fix, iptables error reporting is quited limitef. You will
have to make sure that nfnl_osf is always called before iptables-restore.
> Two mutual exclusive rules like:
> -m osf --genre Windows
> -m osf ! --genre Windows
http://patchwork.ozlabs.org/patch/230425/

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.