Hi, Laurence.
On Tue, Aug 06, 2013 at 10:55:10AM -0400, Laurence J. Lane wrote:
> tag 718810 moreinfo
> severity 718810 normal
> thanks
>
> On Tue, Aug 6, 2013 at 12:46 AM, Eugene Berdnikov <[email protected]> wrote:
>
> > I have such behaviour on several hosts running debian/testing.
> > Downgrade to iptables-1.4.14 solves the problem.
>
> http://paste.debian.net/23235/
>
> I just created a fresh virtual machine with testing and the kernel
> listed in your report. I still do not see the problem you're having.
> There may be an issue between iptables and whatever creates your
> iptables rules.
It seems your guess about "issue between iptables and whatever
creates your iptables rules" is true.
If rules are created with iptables-1.4.14, they are shown and saved
correctly with iptables-1.4.14.
If rules are created with iptables-1.4.19, they are shown and saved
correctly with iptables-1.4.19.
If rules are created with iptables-1.4.14, followed by upgrade to
iptables-1.4.19, then "iptables -L" and iptables-save show wrong
results. Below is the log on debian/testing fresh system.
------------------------------------------------------------------------
vm1-debian:~# uname -a
Linux vm1-debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2 i686 GNU/Linux
vm1-debian:~# iptables --version
iptables v1.4.14
vm1-debian:~# iptables -F
vm1-debian:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
vm1-debian:~# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
vm1-debian:~# iptables -A INPUT -m state --state NEW -j ACCEPT
vm1-debian:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
vm1-debian:~#
vm1-debian:~# apt-cache policy iptables
iptables:
Installed: 1.4.14-3.1
Candidate: 1.4.19.1-1
Version table:
1.4.19.1-1 0
500 ftp://ftp.funet.fi testing/main Packages
*** 1.4.14-3.1 0
100 /var/lib/dpkg/status
vm1-debian:~# apt-get install iptables
The following extra packages will be installed:
libxtables10
The following NEW packages will be installed:
libxtables10
The following packages will be upgraded:
iptables
1 upgraded, 1 newly installed, 0 to remove and 169 not upgraded.
Need to get 0B/429kB of archives.
After this operation, 63.5kB of additional disk space will be used.
Do you want to continue [Y/n]?
Preparing to replace iptables 1.4.14-3.1 (using
.../iptables_1.4.19.1-1_i386.deb) ...
Unpacking replacement iptables ...
Selecting previously unselected package libxtables10.
Unpacking libxtables10 (from .../libxtables10_1.4.19.1-1_i386.deb) ...
Processing triggers for man-db ...
Setting up libxtables10 (1.4.19.1-1) ...
Setting up iptables (1.4.19.1-1) ...
vm1-debian:~# iptables --version
iptables v1.4.19.1
vm1-debian:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state
vm1-debian:~# iptables-save
# Generated by iptables-save v1.4.19.1 on Tue Aug 6 19:42:41 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state -j ACCEPT
-A INPUT -m state -j ACCEPT
COMMIT
# Completed on Tue Aug 6 19:42:41 2013
vm1-debian:~#
------------------------------------------------------------------------
This bug can lead to damage if usage pattern is "keep configuration
in kernel, modify rules on the fly, save state with iptables-save".
I use such workflow for my systems running 24x7.
--
Eugene Berdnikov
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
