xt_owner netfilter of 2.6.28 kernel (tried both gentoo-sources & tuxonice-sources) is unable to save iptables rules correctly. While rule should be written like that: [0:0] -A LOCAL_MPD -m owner --uid-owner 1000 -j ACCEPT iptables saves them like that: [0:0] -A LOCAL_MPD -m owner --uid-owner1000 -j ACCEPT and ip6tables: [1:80] -A LOCAL_MPD -m owner --uid-owner 1000-0 -j ACCEPT The result is that iptables incorrectly writes rules using xt_owner, then on next reboot fails to reread them and then overwrites rules-save with empty set. emerge --info: Portage 2.2_rc20 (default/linux/amd64/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r1, 2.6.28-tuxonice-mgorny-amd64 x86_64) ================================================================= System uname: Linux-2.6.28-tuxonice-mgorny-amd64-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_3800+-with-gentoo-2.0.0 Timestamp of tree: Sat, 10 Jan 2009 01:45:02 +0000 app-shells/bash: 3.2_p48 dev-java/java-config: 1.3.7-r1, 2.1.6-r1 dev-lang/python: 2.6.1 dev-util/cmake: 2.6.2-r1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 9999 sys-apps/sandbox: 1.3.2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/srv/nfs/common/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y --ask --jobs --load-average 9.0 --keep-going" FEATURES="collision-protect distlocks fixpackages parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://src.gentoo.pl http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LC_ALL="pl_PL.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="pl en_US en" MAKEOPTS="-j3" PKGDIR="/srv/nfs/common/packages/athlon64" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/cache/portage/local /usr/portage/local/d /usr/portage/local/gnash-cvs /usr/portage/local/java-overlay /usr/portage/local/kvm /usr/portage/local/ltsp /usr/portage/local/perl-experimental /usr/portage/local/pro-audio /usr/portage/local/pythonhead /usr/portage/local/sunrise /usr/portage/local/vdr-devel /usr/portage/local/vdr-experimental /usr/portage/local/vdr-testing /usr/portage/local/voip /home/mgorny/projekty/emdzientoo" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amrnb amrwb bash-completion bluetooth branding bzip2 cairo cdparanoia cdr cleartype cli cracklib crypt curl dbus dri dts dv dvb dvd dvdr dvdread emboss encode evo exif expat fame ffmpeg firefox flac fontconfig fortran fpx gif glib gmp gnutls gpg gpgme gs hal iconv idn imagemagick ipv6 isdnlog jack jbig jpeg jpeg2k kdeenablefinal latex lirc logrotate mad mbox midi mikmod mmap mmx mmxext mng modplug mp3 mpeg mudflap multilib musepack ncurses nls nptl nptlonly nsplugin ogg opengl openmp oss oss4 pam pch pcre pdf perl png ppds pppd pulseaudio python qt3support quicktime readline reflection rle rtsp scanner sdl session slang speex spl sqlite3 sse sse2 ssl startup-notification svg sysfs syslog tcpd tetex tga theora threads tiff timidity truetype unicode usb v4l v4l2 vcd vhosts vim-syntax vorbis wmf xattr xcb xine xinetd xml xorg xpm xulrunner xv xvid xvmc zlib" ALSA_CARDS="hda-intel emu10k1 virmidi mpu401 pcsp" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="pl en_US en" LIRC_DEVICES="serial" USERLAND="GNU" VIDEO_CARDS="nouveau nv nvidia vesa" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LANG, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Hello there, which iptables version are you using? Such rules used to be saved normally in previous kernels? If yes, which was the latest kernel version that functioned correctly? Thanks :)
(In reply to comment #1) > which iptables version are you using? =net-firewall/iptables-1.4.2-r1 Same result with 1.4.1, olders doesn't even compile (probably my fault). > Such rules used to be saved normally in previous kernels? If yes, which was the > latest kernel version that functioned correctly? I used tuxonice-sources, so last I tried before this one was 2.6.26 and it worked without any problems - AFAIR it even saved username instead of numerical UID. It looks like they removed some special handling of xt_owner writes, replacing it with some universal methods, I think. AMD64, should I add. I don't know if 2.6.27 does work. If it'd be really helpful, I can try it during the weekend.
Yes, please test 2.6.27 so that we can be sure that this is due to a change in kernel behaviour.
I'll check that 2.6.27 in a moment. In the meantime, I've discovered that also 'iptables -L' shows xt_owner rules weird: Chain LOCAL_MPD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere owner UID matchmpd (i.e. no space between 'match' and username) Same thing with 'ip6tables -L'.
(In reply to comment #3) > Yes, please test 2.6.27 so that we can be sure that this is due to a change in > kernel behaviour. 2.6.27 works fine.
Did you check "iptables -L" under 2.6.27? I checked the source code and it seems like a pretty obvious bug there which should be kernel independent.
Created attachment 178786 [details, diff] iptables patch Actually, before you do that... Please apply this patch to iptables. Does is fix the problem under 2.6.28? If not, please leave it applied and then go back to 2.6.27 and then respond to comment #6. Thanks!
(In reply to comment #7) > Please apply this patch to iptables. Does is fix the problem under 2.6.28? Yes, it does. Both 'iptables -L' and 'iptables-save' print out the rules correctly. ip6tables too.
*** This bug has been marked as a duplicate of bug 255113 ***
