Bug#691306: [iptables] iptables add 4 rules instead just one in kernel INPUT chain

[LACROIX Jean Marc]

Package: iptables
Version: 1.4.8-3
Severity: grave

On Debian Squeeze i386 (and PowerPC), and also on Debian Wheezy,
iptables add 4 rules in kernel INPUT instead just one as in
following example.
sudo iptables --flush INPUT

sudo iptables --list INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

 sudo /sbin/iptables --insert INPUT --proto TCP --destination-port 
12345 --source localhost --destination  localhost --jump DROP --match 
comment --comment 'from test'

 sudo iptables --list INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  localhost            localhost            tcp 
dpt:12345 /* from test */
DROP       tcp  --  localhost            localhost            tcp 
dpt:12345 /* from test */
DROP       tcp  --  localhost            localhost            tcp 
dpt:12345 /* from test */
DROP       tcp  --  localhost            localhost            tcp 
dpt:12345 /* from test */
libcommon@vm-wheezy-x86-ia32-1:/tmp$

But if using 127.0.0.1 instead localhost on source, then only 2 rules 
are inserted as following exemple....

sudo iptables --flush INPUT

sudo /sbin/iptables --insert INPUT --proto TCP --destination-port 12345 
--source 127.0.0.1  --destination  localhost --jump DROP --match comment 
--comment 'from test'

 sudo iptables --list INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  localhost            localhost            tcp 
dpt:12345 /* from test */
DROP       tcp  --  localhost            localhost            tcp 
dpt:12345 /* from test */

And finally, if using only IP canonical adress, then no problems occurs 
and just only one rule is inserted in the kernel...

sudo iptables --flush INPUT


 sudo /sbin/iptables --insert INPUT --proto TCP --destination-port 
12345 --source 127.0.0.1   --destination   127.0.0.1   --jump DROP 
--match comment --comment 'from test'

sudo iptables --list INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  localhost            localhost            tcp 
dpt:12345 /* from test */

This behavior is difficult to avoid if you handle hundreds of rules
when trying to suppress dedicated rules !

Many thanks in advance to correct it
Best regards


--
--------------------------------------
 -- Jean-Marc LACROIX                 --
  -- mailto : jeanmarc.lacr...@free.fr --
    ---------------------------------------


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org