** Description changed: + SRU Justification: + + [Impact] + + * When somebody uses the --hex-string flag in iptables, the resulting + rule is invalid because of a spacing issue. This causes an invalid + configuration. + + [Test Case] + + * $ sudo iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|" --algo bm --to 65535 -j DROP + * $ sudo iptables-save > rules + * Inspect 'rules': + '--hex-string"|ffffffff50|"' should be written as '--hex-string "|ffffffff50|"' (notice the space between string and "|) + + [Regression Potential] + + * This patch is already upstream and in current iptables. + * I've tested the packages with the patch, they build and fix the problem. + + -- + If your iptables contains rules that use --hex-string from string module, example iptables -A INPUT -i eth0 -p udp -m string --hex-string "|ffffffff50|" --algo bm --to 65535 -j DROP and then you dump your iptables rules to a file with iptables-save, the rule above will be written as -A INPUT -i eth0 -p udp -m string --hex-string"|ffffffff50|" --algo bm --to 65535 -j DROP Notice the absence of a required space before the hex-string pattern. This also cause iptables-restore to complain about the rule being invalid when importing the rules file and halt at the rule with error This bug is reproduceable on both Precise (iptables 1.4.12-1ubuntu4) and Quantal (1.4.12-2ubuntu2) - - People that automatically restores their iptables rules at boot might want to manually correct the rule in their firewall rules file if they use --hex-string + People that automatically restores their iptables rules at boot might + want to manually correct the rule in their firewall rules file if they + use --hex-string
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1074923 Title: iptables-save doesn't write --hex-string pattern correctly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1074923/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
