Bug#606197: iptables-save dumps resolved uids/gids for owner matches

Tue, 07 Dec 2010 03:09:19 -0800 

Package: iptables
Version: 1.4.8-3
Severity: important
Tags: patch upstream

Hi, I brought up this issue with upstream already, cf.
http://bugzilla.netfilter.org/show_bug.cgi?id=683
It was fixed by the following patch by Jan Engelhardt:

diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index 4015f13..867ed49 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -558,9 +558,9 @@ static void owner_mt_save(const void *ip, const struct 
xt_entry_match *match)
 {
        const struct xt_owner_match_info *info = (void *)match->data;
 
-       owner_mt_print_item(info, "--socket-exists",  XT_OWNER_SOCKET, false);
-       owner_mt_print_item(info, "--uid-owner",      XT_OWNER_UID,    false);
-       owner_mt_print_item(info, "--gid-owner",      XT_OWNER_GID,    false);
+       owner_mt_print_item(info, "--socket-exists",  XT_OWNER_SOCKET, true);
+       owner_mt_print_item(info, "--uid-owner",      XT_OWNER_UID,    true);
+       owner_mt_print_item(info, "--gid-owner",      XT_OWNER_GID,    true);
 }
 
 static struct xtables_match owner_mt_reg[] = {

There's still some ongoing discussion on netfilter-devel, but I
opted to open this bugreport now, to find out about the possibilities
of pushing the fix into squeeze.  I see you uploaded 1.4.10 recently
to sid, do you expect to push a new version into squeeze as well?

The issue is rather fundamental: the iptables-save program dumps
--uid-owner values in resolved form, not as numeric uids/gids, which
makes early iptables-restore impossible if the user database uses
network services (eg. LDAP), because iptables-restore is best done
before the network is brought up.

We're heavily impacted by this, please advise on the possible options.

Thanks,
Feri.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iptables depends on:
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib
ii  libnfnetlink0                 1.0.0-1    Netfilter netlink library

iptables recommends no packages.

iptables suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to