<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - iptables fails to parse interface wildcard "-i +" correctly"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1702">1702</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>iptables fails to parse interface wildcard "-i +" correctly

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>1.8.x

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Ubuntu

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>major

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>thomas.strangert@emblasoft.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>If I enter a simple iptables rule that uses the "-i +" input interface wildcard

thing in it, but note that I don't give any interface namestring "prefix"

before the "+" - for example:

iptables -A INPUT -i + -d 192.168.1.10 -j DROP

iptables -A INPUT -i + -d 192.168.1.11 -j DROP

iptables -A INPUT -i + -d 192.168.1.12 -j DROP

Then printouts of both iptables-save and iptables -L -n -v will show weird

non-ascii/non-printable characters where the interfaces are supposed to be

printed!

The result for my rule example above shows as:

-A INPUT -d 192.168.80.10/32 -i À¨P

+ -j DROP

-A INPUT -d 192.168.80.11/32 -i À¨P�+ -j DROP

-A INPUT -d 192.168.80.12/32 -i À¨P + -j DROP

(The garbage chars in hex were for me \c0\a8\50\0a, \c0\a8\50\0b, \c0\a8\50\0c

respectively. Note the \0a newline char breaking up the printout into two lines

for the first rule.)

The garbage characters makes

"iptables-save > /etc/iptables/rules.v4"

followed up with

"iptables-restore < /etc/iptables/rules.v4"

to fail!

I discovered that if the rule also includes some "protocol" constraints like

"-p tcp -m tcp --dport 123" then iptables parses/prints the rule seemingly ok,

but for "simpler" rules iptables gets confused. 

However, adding a state constraint like "-m conntrack --ctstate NEW" will still

make the bug happen.

Notes about (possibly) related bug reports:

<a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - No warning for weird interface characters if interface contains wildcard character"

   href="show_bug.cgi?id=1085">https://bugzilla.netfilter.org/show_bug.cgi?id=1085</a>

<a href="https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/2033663">https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/2033663</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>