Bug#691306: marked as done ([iptables] iptables add 4 rules instead just one in kernel INPUT chain)

Sun, 21 Jul 2013 10:27:27 -0700 

Your message dated Sun, 21 Jul 2013 13:24:36 -0400
with message-id 
<CA+0KVf3BYg=jakwd7sqyjqqxyxhpottpjgerk_yebfnuwjr...@mail.gmail.com>
and subject line iptables add 4 rules instead just one
has caused the Debian Bug report #691306,
regarding [iptables] iptables add 4 rules instead just one in kernel INPUT chain
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
691306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691306
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: iptables
Version: 1.4.8-3
Severity: grave

On Debian Squeeze i386 (and PowerPC), and also on Debian Wheezy,
iptables add 4 rules in kernel INPUT instead just one as in
following example.

sudo iptables --flush INPUT

sudo iptables --list INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sudo /sbin/iptables --insert INPUT --proto TCP --destination-port 12345 --source localhost --destination localhost --jump DROP --match comment --comment 'from test' 

 sudo iptables --list INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP tcp -- localhost localhost tcp dpt:12345 /* from test */ DROP tcp -- localhost localhost tcp dpt:12345 /* from test */ DROP tcp -- localhost localhost tcp dpt:12345 /* from test */ DROP tcp -- localhost localhost tcp dpt:12345 /* from test */ 
libcommon@vm-wheezy-x86-ia32-1:/tmp$
But if using 127.0.0.1 instead localhost on source, then only 2 rules are inserted as following exemple.... 

sudo iptables --flush INPUT
sudo /sbin/iptables --insert INPUT --proto TCP --destination-port 12345 --source 127.0.0.1 --destination localhost --jump DROP --match comment --comment 'from test' 

 sudo iptables --list INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP tcp -- localhost localhost tcp dpt:12345 /* from test */ DROP tcp -- localhost localhost tcp dpt:12345 /* from test */
And finally, if using only IP canonical adress, then no problems occurs and just only one rule is inserted in the kernel... 

sudo iptables --flush INPUT
sudo /sbin/iptables --insert INPUT --proto TCP --destination-port 12345 --source 127.0.0.1 --destination 127.0.0.1 --jump DROP --match comment --comment 'from test' 

sudo iptables --list INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP tcp -- localhost localhost tcp dpt:12345 /* from test */ 

This behavior is difficult to avoid if you handle hundreds of rules
when trying to suppress dedicated rules !

Many thanks in advance to correct it
Best regards


--
--------------------------------------
 -- Jean-Marc LACROIX                 --
  -- mailto : [email protected] --
    ---------------------------------------

--- End Message ---
--- Begin Message --- 
Sorry, but I do not believe this is an iptables bug.

--- End Message ---

Reply via email to