iptables-save saves invalid negative --uid-owner expressions.

iptables-save saves invalid negative --uid-owner expressions.

[Costa Tsaousis]

Hi all,

I believe I have faced another, not-mentioned-in-2002, bug:

If you setup negative owner expressions like this:

# a transparent cache for the machine running the cache
iptables -t nat -A OUTPUT \
    -m owner ! --uid-owner squid \
    -p tcp --dport 80 ! -d 127.0.0.1 \
    -j DNAT --to 127.0.0.1:3128

then iptables-save gives this:

-A OUTPUT -d ! 127.0.0.1 -p tcp -m owner --uid-owner !squid -m tcp --dport
80 -j DNAT --to-destination 127.0.0.1:3128

which produces a "user '!squid' not found" error when restored.

Kernel  : 2.4.18-19.8.0smp
iptables: 1.2.6a
Distro  : RedHat 8.0

Regards.

-- 
Costa Tsaousis

Author of
FireHOL (http://firehol.sf.net)
-------------------------------
An iptables stateful firewall generator,
that allows you to configure your firewall...
...the way you think of it!

Re: iptables-save saves invalid negative --uid-owner expressions.

[Hervé Eychenne]

On Mon, Jan 06, 2003 at 03:31:07AM +0200, Costa Tsaousis wrote:

 Hi,

> I believe I have faced another, not-mentioned-in-2002, bug:
> [...]
> then iptables-save gives this:
> 
> -A OUTPUT -d ! 127.0.0.1 -p tcp -m owner --uid-owner !squid -m tcp --dport
> 80 -j DNAT --to-destination 127.0.0.1:3128
> 
> which produces a "user '!squid' not found" error when restored.

It seems to me that no single week passes without any post about this
kind of error (no space before a negation) in some save output module.
Sigh.
I must admit it seems quite strange to me that noone in the coreteam
didn't do that already. (hope I won't hurt anybody's feelings too
much though) ;-)

Would someone who's even more fed up than me with these recurrent
messages have time to audit the whole bunch of existing modules in
the CVS tree and fix this particular kind of problem _once and for all_?

Thanks in advance,

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/

Re: iptables-save saves invalid negative --uid-owner expressions.

[Bart De Schuymer]

On Monday 06 January 2003 03:02, Hervé Eychenne wrote:
> It seems to me that no single week passes without any post about this
> kind of error (no space before a negation) in some save output module.
> Sigh.
> I must admit it seems quite strange to me that noone in the coreteam
> didn't do that already. (hope I won't hurt anybody's feelings too
> much though) ;-)
>
> Would someone who's even more fed up than me with these recurrent
> messages have time to audit the whole bunch of existing modules in
> the CVS tree and fix this particular kind of problem _once and for all_?

All these potential bugs could be solved by using a scheme in which no new 
file format is introduced :) A scheme where the table is saved to a file 
instead of to the kernel until all modifications are done is really not that 
hard to do. It's being done in ebtables... With this scheme, introducing a 
new module keeps everything working.

-- 
cheers,
Bart

[PATCH]: fix all iptables problems with "!" (hopefully)

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]

Hervé Eychenne wrote:

>On Mon, Jan 06, 2003 at 03:31:07AM +0200, Costa Tsaousis wrote:
>
> Hi,
>
>  
>
>>I believe I have faced another, not-mentioned-in-2002, bug:
>>[...]
>>then iptables-save gives this:
>>
>>-A OUTPUT -d ! 127.0.0.1 -p tcp -m owner --uid-owner !squid -m tcp --dport
>>80 -j DNAT --to-destination 127.0.0.1:3128
>>
>>which produces a "user '!squid' not found" error when restored.
>>    
>>
>
>It seems to me that no single week passes without any post about this
>kind of error (no space before a negation) in some save output module.
>Sigh.
>I must admit it seems quite strange to me that noone in the coreteam
>didn't do that already. (hope I won't hurt anybody's feelings too
>much though) ;-)
>
>Would someone who's even more fed up than me with these recurrent
>messages have time to audit the whole bunch of existing modules in
>the CVS tree and fix this particular kind of problem _once and for all_?
>
>  
>
I did, here is the (untested) patch, hopefully i didn't miss any.
I didn't change any of the "save"-functions, this patch just replaces 
all uses
of optarg after check_inverse by argv[optind-1].

Regards,
Patrick

>Thanks in advance,
>
> Herve
>
>  
>


[-- Attachment #2: extensions_save.diff --]
[-- Type: text/plain, Size: 10787 bytes --]

Index: extensions/libip6t_mark.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libip6t_mark.c,v
retrieving revision 1.4
diff -u -r1.4 libip6t_mark.c
--- extensions/libip6t_mark.c	29 May 2002 13:08:16 -0000	1.4
+++ extensions/libip6t_mark.c	6 Jan 2003 08:03:44 -0000
@@ -46,13 +46,13 @@
 		char *end;
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		markinfo->mark = strtoul(optarg, &end, 0);
+		markinfo->mark = strtoul(argv[optind-1], &end, 0);
 		if (*end == '/') {
 			markinfo->mask = strtoul(end+1, &end, 0);
 		} else
 			markinfo->mask = 0xffffffff;
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", argv[optind-1]);
 		if (invert)
 			markinfo->invert = 1;
 		*flags = 1;
Index: extensions/libip6t_owner.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libip6t_owner.c,v
retrieving revision 1.4
diff -u -r1.4 libip6t_owner.c
--- extensions/libip6t_owner.c	29 May 2002 13:08:16 -0000	1.4
+++ extensions/libip6t_owner.c	6 Jan 2003 08:03:45 -0000
@@ -57,12 +57,12 @@
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
 
-		if ((pwd = getpwnam(optarg)))
+		if ((pwd = getpwnam(argv[optind-1])))
 			ownerinfo->uid = pwd->pw_uid;
 		else {
-			ownerinfo->uid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg);
+			ownerinfo->uid = strtoul(argv[optind-1], &end, 0);
+			if (*end != '\0' || end == argv[optind-1])
+				exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", argv[optind-1]);
 		}
 		if (invert)
 			ownerinfo->invert |= IP6T_OWNER_UID;
@@ -72,12 +72,12 @@
 
 	case '2':
 		check_inverse(optarg, &invert, &optind, 0);
-		if ((grp = getgrnam(optarg)))
+		if ((grp = getgrnam(argv[optind-1])))
 			ownerinfo->gid = grp->gr_gid;
 		else {
-			ownerinfo->gid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg);
+			ownerinfo->gid = strtoul(argv[optind-1], &end, 0);
+			if (*end != '\0' || end == argv[optind-1])
+				exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", argv[optind-1]);
 		}
 		if (invert)
 			ownerinfo->invert |= IP6T_OWNER_GID;
@@ -87,9 +87,9 @@
 
 	case '3':
 		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->pid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg);
+		ownerinfo->pid = strtoul(argv[optind-1], &end, 0);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", argv[optind-1]);
 		if (invert)
 			ownerinfo->invert |= IP6T_OWNER_PID;
 		ownerinfo->match |= IP6T_OWNER_PID;
@@ -98,9 +98,9 @@
 
 	case '4':
 		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->sid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg);
+		ownerinfo->sid = strtoul(argv[optind-1], &end, 0);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", argv[optind-1]);
 		if (invert)
 			ownerinfo->invert |= IP6T_OWNER_SID;
 		ownerinfo->match |= IP6T_OWNER_SID;
Index: extensions/libipt_connmark.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_connmark.c,v
retrieving revision 1.5
diff -u -r1.5 libipt_connmark.c
--- extensions/libipt_connmark.c	20 Sep 2002 15:25:13 -0000	1.5
+++ extensions/libipt_connmark.c	6 Jan 2003 08:03:45 -0000
@@ -46,13 +46,13 @@
 		char *end;
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		markinfo->mark = strtoul(optarg, &end, 0);
+		markinfo->mark = strtoul(argv[optind-1], &end, 0);
 		if (*end == '/') {
 			markinfo->mask = strtoul(end+1, &end, 0);
 		} else
 			markinfo->mask = 0xffffffff;
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", argv[optind-1]);
 		if (invert)
 			markinfo->invert = 1;
 		*flags = 1;
Index: extensions/libipt_ecn.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_ecn.c,v
retrieving revision 1.3
diff -u -r1.3 libipt_ecn.c
--- extensions/libipt_ecn.c	5 Aug 2002 19:35:52 -0000	1.3
+++ extensions/libipt_ecn.c	6 Jan 2003 08:03:45 -0000
@@ -80,7 +80,7 @@
 			einfo->invert |= IPT_ECN_OP_MATCH_IP;
 		*flags |= IPT_ECN_OP_MATCH_IP;
 		einfo->operation |= IPT_ECN_OP_MATCH_IP;
-		if (string_to_number(optarg, 0, 3, &result))
+		if (string_to_number(argv[optind-1], 0, 3, &result))
 			exit_error(PARAMETER_PROBLEM,
 				   "ECN match: Value out of range");
 		einfo->ip_ect = result;
Index: extensions/libipt_helper.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_helper.c,v
retrieving revision 1.3
diff -u -r1.3 libipt_helper.c
--- extensions/libipt_helper.c	29 May 2002 13:08:16 -0000	1.3
+++ extensions/libipt_helper.c	6 Jan 2003 08:03:45 -0000
@@ -44,8 +44,8 @@
 
 	switch (c) {
 	case '1':
-		check_inverse(optarg, &invert, &invert, 0);
-		strncpy(info->name, optarg, 29);
+		check_inverse(optarg, &invert, &optind, 0);
+		strncpy(info->name, argv[optind-1], 29);
 		if (invert)
 			info->invert = 1;
 		*flags = 1;
Index: extensions/libipt_mark.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_mark.c,v
retrieving revision 1.8
diff -u -r1.8 libipt_mark.c
--- extensions/libipt_mark.c	20 Sep 2002 15:25:13 -0000	1.8
+++ extensions/libipt_mark.c	6 Jan 2003 08:03:45 -0000
@@ -46,13 +46,13 @@
 		char *end;
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		markinfo->mark = strtoul(optarg, &end, 0);
+		markinfo->mark = strtoul(argv[optind-1], &end, 0);
 		if (*end == '/') {
 			markinfo->mask = strtoul(end+1, &end, 0);
 		} else
 			markinfo->mask = 0xffffffff;
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", argv[optind-1]);
 		if (invert)
 			markinfo->invert = 1;
 		*flags = 1;
Index: extensions/libipt_owner.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_owner.c,v
retrieving revision 1.8
diff -u -r1.8 libipt_owner.c
--- extensions/libipt_owner.c	29 May 2002 13:08:16 -0000	1.8
+++ extensions/libipt_owner.c	6 Jan 2003 08:03:45 -0000
@@ -71,12 +71,12 @@
 		struct group *grp;
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		if ((pwd = getpwnam(optarg)))
+		if ((pwd = getpwnam(argv[optind-1])))
 			ownerinfo->uid = pwd->pw_uid;
 		else {
-			ownerinfo->uid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg);
+			ownerinfo->uid = strtoul(argv[optind-1], &end, 0);
+			if (*end != '\0' || end == argv[optind-1])
+				exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", argv[optind-1]);
 		}
 		if (invert)
 			ownerinfo->invert |= IPT_OWNER_UID;
@@ -86,12 +86,12 @@
 
 	case '2':
 		check_inverse(optarg, &invert, &optind, 0);
-		if ((grp = getgrnam(optarg)))
+		if ((grp = getgrnam(argv[optind-1])))
 			ownerinfo->gid = grp->gr_gid;
 		else {
-			ownerinfo->gid = strtoul(optarg, &end, 0);
-			if (*end != '\0' || end == optarg)
-				exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg);
+			ownerinfo->gid = strtoul(argv[optind-1], &end, 0);
+			if (*end != '\0' || end == argv[optind-1])
+				exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", argv[optind-1]);
 		}
 		if (invert)
 			ownerinfo->invert |= IPT_OWNER_GID;
@@ -101,9 +101,9 @@
 
 	case '3':
 		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->pid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg);
+		ownerinfo->pid = strtoul(argv[optind-1], &end, 0);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", argv[optind-1]);
 		if (invert)
 			ownerinfo->invert |= IPT_OWNER_PID;
 		ownerinfo->match |= IPT_OWNER_PID;
@@ -112,9 +112,9 @@
 
 	case '4':
 		check_inverse(optarg, &invert, &optind, 0);
-		ownerinfo->sid = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg);
+		ownerinfo->sid = strtoul(argv[optind-1], &end, 0);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", argv[optind-1]);
 		if (invert)
 			ownerinfo->invert |= IPT_OWNER_SID;
 		ownerinfo->match |= IPT_OWNER_SID;
@@ -124,10 +124,11 @@
 #ifdef IPT_OWNER_COMM
 	case '5':
 		check_inverse(optarg, &invert, &optind, 0);
-		if(strlen(optarg) > sizeof(ownerinfo->comm))
-			exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm));
+		if(strlen(argv[optind-1]) > sizeof(ownerinfo->comm))
+			exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters",
+			           argv[optind-1], sizeof(ownerinfo->comm));
 
-		strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
+		strncpy(ownerinfo->comm, argv[optind-1], sizeof(ownerinfo->comm));
 
 		if (invert)
 			ownerinfo->invert |= IPT_OWNER_COMM;
Index: extensions/libipt_realm.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_realm.c,v
retrieving revision 1.4
diff -u -r1.4 libipt_realm.c
--- extensions/libipt_realm.c	29 May 2002 13:08:16 -0000	1.4
+++ extensions/libipt_realm.c	6 Jan 2003 08:03:45 -0000
@@ -50,13 +50,13 @@
 		char *end;
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		realminfo->id = strtoul(optarg, &end, 0);
+		realminfo->id = strtoul(argv[optind-1], &end, 0);
 		if (*end == '/') {
 			realminfo->mask = strtoul(end+1, &end, 0);
 		} else
 			realminfo->mask = 0xffffffff;
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad REALM value `%s'", optarg);
+		if (*end != '\0' || end == argv[optind-1])
+			exit_error(PARAMETER_PROBLEM, "Bad REALM value `%s'", argv[optind-1]);
 		if (invert)
 			realminfo->invert = 1;
 		*flags = 1;

Re: [PATCH]: fix all iptables problems with '!' (hopefully)

[Costa Tsaousis]

Patrick McHardy said:
> I did, here is the (untested) patch, hopefully i didn't miss any.
> I didn't change any of the "save"-functions, this patch just replaces
> all uses
> of optarg after check_inverse by argv[optind-1].

I didn't test it, but keep in mind that the ! in certain cases has to be
placed *before* the argument and its value.

For example:

--uid-owner ! squid

is not accepted either ("user '!' not found"). The correct is:

! --uid-owner squid

Regards

-- 
Costa Tsaousis

Author of
FireHOL (http://firehol.sf.net)
-------------------------------
An iptables stateful firewall generator,
that allows you to configure your firewall...
...the way you think of it!

Re: [PATCH]: fix all iptables problems with '!' (hopefully)

[Patrick McHardy]

Costa Tsaousis wrote:

>Patrick McHardy said:
>  
>
>>I did, here is the (untested) patch, hopefully i didn't miss any.
>>I didn't change any of the "save"-functions, this patch just replaces
>>all uses
>>of optarg after check_inverse by argv[optind-1].
>>    
>>
>
>I didn't test it, but keep in mind that the ! in certain cases has to be
>placed *before* the argument and its value.
>
>For example:
>
>--uid-owner ! squid
>
>is not accepted either ("user '!' not found"). The correct is:
>
>! --uid-owner squid
>  
>
In fact ! is used in many matches in a non-boolean context.
After the patch is applied, both it always possible
(! --uid-owner xxx / --uid-owner ! xxx).
It would still be nice to have the helptexts unified concerning
the use of '!', i think.

Regards,
Patrick

Re: [PATCH]: fix all iptables problems with '!' (hopefully)

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 869 bytes --]

On Mon, Jan 06, 2003 at 04:33:44PM +0100, Patrick McHardy wrote:
> In fact ! is used in many matches in a non-boolean context.
> After the patch is applied, both it always possible
> (! --uid-owner xxx / --uid-owner ! xxx).
> It would still be nice to have the helptexts unified concerning
> the use of '!', i think.

This is why I'm still unsure whether to apply your patch or not.

I'd rather like to enforce one unique syntax than offering two different
options giving the same result (and possibly causing confusion with the
user).

> Regards,
> Patrick

-- 
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [PATCH]: fix all iptables problems with '!' (hopefully)

[Patrick McHardy]

Harald Welte wrote:

>On Mon, Jan 06, 2003 at 04:33:44PM +0100, Patrick McHardy wrote:
>  
>
>>In fact ! is used in many matches in a non-boolean context.
>>After the patch is applied, both it always possible
>>(! --uid-owner xxx / --uid-owner ! xxx).
>>It would still be nice to have the helptexts unified concerning
>>the use of '!', i think.
>>    
>>
>
>This is why I'm still unsure whether to apply your patch or not.
>
>I'd rather like to enforce one unique syntax than offering two different
>options giving the same result (and possibly causing confusion with the
>user).
>  
>
Thats the reason why i was unsure weather to send the patch or not ;)
What about if i convert all matches to only show "!" in boolean context 
in the
helptexts and change check_inverse and what else might be neccessary to 
enforce this ?
What about backward-compatibility ?

Regards,
Patrick

Re: [PATCH]: fix all iptables problems with '!' (hopefully)

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 972 bytes --]

On Tue, Jan 07, 2003 at 07:53:31PM +0100, Patrick McHardy wrote:

> Thats the reason why i was unsure weather to send the patch or not ;)

I see. 

> What about if i convert all matches to only show "!" in boolean context 
> in the helptexts and change check_inverse and what else might be
> neccessary to enforce this ?

I think this is a wise idea.

> What about backward-compatibility ?

This is usually not my idea of being user-friendly... but considering
how much trouble we've had with this over the last couple of months, I'm
willing to sacrifice a bit of backwards compatibility.

To everyone: Please feel free to protest.

> Regards,
> Patrick

-- 
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [PATCH]: fix all iptables problems with '!' (hopefully)

[Patrick McHardy]

Harald Welte wrote:

>>What about if i convert all matches to only show "!" in boolean context 
>>in the helptexts and change check_inverse and what else might be
>>neccessary to enforce this ?
>>    
>>
>
>I think this is a wise idea.
>  
>
Since i have to touch a lot of helptexts anyway i thought it might be 
the time to unify their format.
Any wishes regarding this ?

Regards,
Patrick


>  
>
>>What about backward-compatibility ?
>>    
>>
>
>This is usually not my idea of being user-friendly... but considering
>how much trouble we've had with this over the last couple of months, I'm
>willing to sacrifice a bit of backwards compatibility.
>
>To everyone: Please feel free to protest.
>
>  
>

Re: iptables-save saves invalid negative --uid-owner expressions.

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1583 bytes --]

On Mon, Jan 06, 2003 at 03:02:19AM +0100, Hervé Eychenne wrote:
> On Mon, Jan 06, 2003 at 03:31:07AM +0200, Costa Tsaousis wrote:
> 
>  Hi,
> 
> > I believe I have faced another, not-mentioned-in-2002, bug:
> > [...]
> > then iptables-save gives this:
> > 
> > -A OUTPUT -d ! 127.0.0.1 -p tcp -m owner --uid-owner !squid -m tcp --dport
> > 80 -j DNAT --to-destination 127.0.0.1:3128
> > 
> > which produces a "user '!squid' not found" error when restored.
> 
> It seems to me that no single week passes without any post about this
> kind of error (no space before a negation) in some save output module.
> Sigh.

Your observation is true.

> I must admit it seems quite strange to me that noone in the coreteam
> didn't do that already. (hope I won't hurt anybody's feelings too
> much though) ;-)

The problem is that we are mostly talking about contributed extensions,
and nobody seems to test the save() and restore() functions of their
extensions properly.

> Would someone who's even more fed up than me with these recurrent
> messages have time to audit the whole bunch of existing modules in
> the CVS tree and fix this particular kind of problem _once and for all_?

It can even be automatized by a script...

> Thanks in advance,
>  Herve
 

-- 
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]