There is a bug in iptables-save command: Error message is: /etc/portage/patches/net-firewall/iptables # /etc/init.d/iptables restart * Caching service dependencies ... [ ok ] * Loading iptables state and starting firewall ... iptables-restore v1.4.11.1: Couldn't load match `layer7--l7proto':No such file or directory Error occurred at line: 178 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [ !! ] * ERROR: iptables failed to start above rule is added as: iptables -A public-network-filter -m layer7 --l7proto bittorrent -j DROP The rule works fine. After iptables save the above error-messages appears and there is a missing space in saved rules: grep l7proto /var/lib/iptables/rules-save -A public-network-filter -m layer7--l7proto bittorrent -j DROP Manually editing the file and adding the space back so the above line reads as: -A public-network-filter -m layer7 --l7proto bittorrent -j DROP and the rule is loading and working after /etc/init.d/iptables restart
This is not bug in iptables but in l7filters. iptables developers changed indentation, so ... you'll have to update libxt_layer7.c to match newer iptables. Just check the following function there: static void save(const void *ip, const struct xt_entry_match *match) { const struct xt_layer7_info *info = (const struct xt_layer7_info*) match->data; printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol); } and update printf accordingly (I guess space before --l7proto should be enough). In any case no package in our tree provides this match, so ... invalid.
Thx, for helping. In my opinion iptables is crippled, since it does not use the same parser for add, list and save process. This won't be a gentoo bug, either. ;)
