[Bug 866] Missing newline with --list-rules

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sat Oct 26 03:01:22 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=866

--- Comment #5 from Eric Bock <eric.bock.1980 at gmail.com> 2013-10-26 03:01:21 CEST ---
If the intent is to ensure the output of `iptables -S` is valid input for
restoring the current firewall state, partial output is not helpful.  For
example, a boot script that (apparently, naively) expects `iptables -S` to
always return successfully after outputting the entire filter table might
backup the following incorrect rules in place of previously correct rules:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT ! -i lo+

["Can't find library for match `quota2'" sent to the terminal, if there is one]

A supposed recovery from backup proceeds like this:

[ 0 ] app_42 at android:/# iptables -F INPUT
[ 0 ] app_42 at android:/# iptables -vL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

[...]

[ 0 ] app_42 at android:/# iptables -A INPUT ! -i lo+
[ 0 ] app_42 at android:/# iptables -vL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  !lo+   any     anywhere             anywhere
[ 0 ] app_42 at android:/#

This is not the same rule that existed previously; if quota2 becomes available
it will have no effect.  In the meantime the firewall is permitting all traffic
because the stored list was essentially empty.

There is probably some pathological rule which could be benign while present in
the filter table but which becomes harmful if used as truncated by `iptables
-S`.  iptables cannot know when the effect of a partial rule might be more
desirable than its complete inclusion or omission.

It would be better to output every rule completely without regard for whether
iptables would currently accept them on the command line.  They might all be
valid at restore time.  Complete output could be processed by some other
command (such as `grep -v quota2`) to produce the rules desired, and would also
help for simple inspection of errors introduced into the table.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list