[Bug 606] New: Iptables-restore removing the wrong rules
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Mon Sep 14 08:45:11 CEST 2009
http://bugzilla.netfilter.org/show_bug.cgi?id=606
Summary: Iptables-restore removing the wrong rules
Product: iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P1
Component: iptables-restore
AssignedTo: laforge at netfilter.org
ReportedBy: me at jacobsvensson.se
I'm having some troubles with a set of iptable rules. When setting the
sequence with iptables everything is fine, but if I'm using
iptables-restore, the wrong rules get removed at a certain point.
This is the smallest subset of rules that i have been able to find
that reproduce the problem.
As you can see, when trying to remove the rules ending with 60007, the
60009 are removed.
Looks like a bug, but perhaps I am just misunderstanding something?
I've been able to reproduce it on both 1.3.8 and 1.4.4 and on both mips and
x86.
-------------------------
user at user-laptop:~$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
test_POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
test_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain test_OUTPUT (1 references)
target prot opt source destination
Chain test_POSTROUTING (1 references)
target prot opt source destination
user at user-laptop:~$ sudo iptables-restore -n
*nat
-F
COMMIT
*mangle
-F
COMMIT
*nat
-X
COMMIT
*mangle
-X
COMMIT
*nat
-N test_POSTROUTING
-I POSTROUTING -j test_POSTROUTING
-N test_OUTPUT
-I OUTPUT -j test_OUTPUT
COMMIT
*mangle
-N test_POSTROUTING
-I POSTROUTING -j test_POSTROUTING
COMMIT
*nat
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5
--dport 40001 -j SNAT --to 192.168.1.1:60007
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5
--dport 50001 -j SNAT --to 10.76.50.70:60007
COMMIT
*mangle
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40000 -d 192.168.1.5
--dport 50000 -j DSCP --set-dscp 46
COMMIT
*nat
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5
--dport 40001 -j SNAT --to 192.168.1.1:60009
-I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5
--dport 50001 -j SNAT --to 10.76.50.70:60009
COMMIT
*nat
-D test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5
--dport 40001 -j SNAT --to 192.168.1.1:60007
-D test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5
--dport 50001 -j SNAT --to 10.76.50.70:60007
COMMIT
user at user-laptop:~$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
test_POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
test_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain test_OUTPUT (1 references)
target prot opt source destination
Chain test_POSTROUTING (1 references)
target prot opt source destination
SNAT udp -- 192.168.1.5 192.168.1.5 udp
spt:40001 dpt:50001 to:10.76.50.70:60007
SNAT udp -- 192.168.1.5 192.168.1.5 udp
spt:50001 dpt:40001 to:192.168.1.1:60007
----------------------------------
Best Regards
Jacob Svensson
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list