[Bug 524] New: packetfence - IPtables-save produces output that iptables-restore cannot parse

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Oct 17 00:36:43 CEST 2006


           Summary: packetfence - IPtables-save produces output that
                    iptables-restore cannot parse
           Product: iptables
           Version: 1.3.3
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: iptables-save
        AssignedTo: laforge at netfilter.org
        ReportedBy: bruce.rodger at strath.ac.uk

Running packetfence 1.6.1 (www.packetfence.org) on various flavours of linux,
including Fedora FC4, Ubuntu 6.06 and SLES 10.

packetfence uses IPTables::IPv4 to manipulate various tables.

It also uses iptables-save and iptables-restore at various points.

In some circumstances, iptables-save will generate output which iptables-restore
cannot parse. 

# /sbin/iptables-save > /tmp/iptables.out
# /sbin/iptables-restore < /tmp/iptables.out
Bad argument `0x0'
Error occurred at line: 612
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

The relevant lines in iptables.out are:

:PREROUTING ACCEPT [4267852:1231310083]
:INPUT ACCEPT [3375309:1170682916]
:FORWARD ACCEPT [20785:1376634]
:OUTPUT ACCEPT [2280199:343290096]
:POSTROUTING ACCEPT [2287612:343773544]
-A PREROUTING -m mac --mac-source 00:00:39:25:FF:1A -j MARK --set-mark 0x1
-A PREROUTING -m mac --mac-source 00:00:39:3D:90:EA -j MARK --set-mark 0x1
-A PREROUTING -m mac --mac-source 00:00:39:47:C2:F1 -j MARK --set-mark 0x1
Note the first "-A PREROUTING" line - no "--set-mark".

We have also observed occasions when some (but not all) of the following lines
(with mac addresses) have no "--set-mark" entry - something like:

-A PREROUTING -m mac --mac-source 00:00:39:47:C2:F1 -j MARK 0x1

We have observed this with the iptables supplied with FC4 (1.3.0?) and Ubuntu
6.06 (1.3.3)

In both instances, we upgraded to 1.3.6 and observed the same problem.

In both cases, we then downgraded to iptables v1.2.11, and this appears to
resolve the issue.


Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list