bugzilla-daemon at netfilter.org
2013-Jul-06 10:30 UTC
[Bug 832] New: iptables-save refuses to save "--packet 0"
https://bugzilla.netfilter.org/show_bug.cgi?id=832
Summary: iptables-save refuses to save "--packet 0"
Product: iptables
Version: 1.4.x
Platform: x86_64
OS/Version: Fedora
Status: NEW
Severity: normal
Priority: P5
Component: iptables-save
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: tristen_e at yahoo.com
Estimated Hours: 0.0
consider the following example on fedora.
if i apply the following rules, iptables accepts the commands and works as
expected:
$ iptables -t nat -A PREROUTING -p tcp --dport 90 -m statistic --mode nth
--every 2 --packet 0 -j REDIRECT --to 9000
$ iptables -t nat -A PREROUTING -p tcp --dport 90 -m statistic --mode nth
--every 1 --packet 0 -j REDIRECT --to 9001
then i output to screen using:
$ iptables-save
and i see the following, without "--packet 0":
:POSTROUTING ACCEPT [38:3497]
-A PREROUTING -p tcp -m tcp --dport 90 -m statistic --mode nth --every 2 -j
REDIRECT --to-ports 9000
-A PREROUTING -p tcp -m tcp --dport 90 -m statistic --mode nth --every 1 -j
REDIRECT --to-ports 9001
now i save to the the startup file:
$ iptables-save > /etc/sysconfig/iptables
and then restarting results in a serice failed error:
$ systemctl restart iptables.service
then examining why the iptables service failed to start, results in the
following output:
$ systemctl status iptables.service
iptables: Applying firewall rules: iptables-restore v1.4.16.2: statistic:
option "--every" also requires "--packet".
which is exactly the same error i'd get if i omitted "--packet 0"
from the
original command entered manually.
the workaround is to manually apply the script at startup.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Jul-06 14:43 UTC
[Bug 832] iptables-save refuses to save "--packet 0"
https://bugzilla.netfilter.org/show_bug.cgi?id=832
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |netfilter at linuxace.com
Resolution| |FIXED
--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-07-06
16:43:48 CEST ---
This has already been fixed by the commit shown below. Upgrade to the latest
iptables version.
commit a46a5698027aa48e27e3cc2d54bb8bbafb10e7da
Author: Tom Eastep <teastep at shorewall.net>
Date: Mon Nov 19 11:40:40 2012 +0100
extensions: libxt_statistic: Fix save output
Suppressing '--packet 0' in save output resulted in restore failure.
This patch includes '--packet 0' in save output while continuing to
suppress it in print output.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Reasonably Related Threads
- [Bug 823] New: IPv6 NAT memory leaking
- [Bug 877] New: nftables - Set - define core dumps
- [Bug 886] New: iptables-xml segfaults on "-APOSTROUTING"
- [Bug 857] New: ConnLimit unable to work properly
- [Bug 864] New: Verbose output options rejected when modifying chains