Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 255113 - net-firewall/iptables-1.4.2 saves broken rules for -m owner
Summary: net-firewall/iptables-1.4.2 saves broken rules for -m owner
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
: 254435 (view as bug list)
Depends on:
Blocks: 252467
  Show dependency tree
 
Reported: 2009-01-15 23:51 UTC by Andrew Savchenko
Modified: 2009-01-21 18:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
The fix for this problem (iptables-xt_owner-lost_space_delimiter.patch,604 bytes, patch)
2009-01-15 23:52 UTC, Andrew Savchenko
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Savchenko gentoo-dev 2009-01-15 23:51:21 UTC
iptables-save saves unrestorable output for -m owner --uid-owner 12345. It misses space before an argument:

[0:0] -A OUTPUT -o ! lo -m owner --uid-owner65534 -j nobody
instead of
[0:0] -A OUTPUT -o ! lo -m owner --uid-owner 65534 -j nobody

This leads to failures while restoring rules, thus iptables fail to start on system startup and system left unprotected or not properly functional.
Comment 1 Andrew Savchenko gentoo-dev 2009-01-15 23:52:31 UTC
Created attachment 178647 [details, diff]
The fix for this problem

This was reported to mainstream also:
http://bugzilla.netfilter.org/show_bug.cgi?id=570
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-01-16 00:18:06 UTC
Reassigning to base-system herd.
Comment 3 Daniel Drake (RETIRED) gentoo-dev 2009-01-20 15:07:00 UTC
*** Bug 254435 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Drake (RETIRED) gentoo-dev 2009-01-20 16:27:45 UTC
not exactly sure why, but bug 254435 seems to indicate that 2.6.28 exposes this iptables bug on some systems at least
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2009-01-21 18:36:04 UTC
Thank you for report, Andrew. Patch was added in iptables-1.4.2-r2.

Daniel the only explanation I have is that kernel now returns value without space after that, but I have not looked deeper atm.