[Bug 832] New: iptables-save refuses to save "--packet 0"

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=832

           Summary: iptables-save refuses to save "--packet 0"
           Product: iptables
           Version: 1.4.x
          Platform: x86_64
        OS/Version: Fedora
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables-save
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: tristen_e at yahoo.com
   Estimated Hours: 0.0


consider the following example on fedora.

if i apply the following rules, iptables accepts the commands and works as
expected:

$ iptables -t nat -A PREROUTING -p tcp --dport 90 -m statistic --mode nth
--every 2 --packet 0 -j REDIRECT --to 9000
$ iptables -t nat -A PREROUTING -p tcp --dport 90 -m statistic --mode nth
--every 1 --packet 0 -j REDIRECT --to 9001

then i output to screen using:

$ iptables-save

and i see the following, without "--packet 0":

:POSTROUTING ACCEPT [38:3497]
-A PREROUTING -p tcp -m tcp --dport 90 -m statistic --mode nth --every 2 -j
REDIRECT --to-ports 9000
-A PREROUTING -p tcp -m tcp --dport 90 -m statistic --mode nth --every 1 -j
REDIRECT --to-ports 9001

now i save to the the startup file:

$ iptables-save > /etc/sysconfig/iptables

and then restarting results in a serice failed error:

$ systemctl restart iptables.service

then examining why the iptables service failed to start, results in the
following output:

$ systemctl status iptables.service

iptables: Applying firewall rules: iptables-restore v1.4.16.2: statistic:
option "--every" also requires "--packet".

which is exactly the same error i'd get if i omitted "--packet 0" from the
original command entered manually.

the workaround is to manually apply the script at startup.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.