bug in iptables-save/iptables-restore

bug in iptables-save/iptables-restore

[Gerry Skerbitz]

I installed narc to build some firewall rules for me, but to fit it in 
well with the RedHat8 installation,
I wanted to put its rules in /etc/sysconfig/iptables.  I ran
iptables-save > /etc/sysconfig/iptables
Then I tried restoring it using
iptables-restore /etc/sysconfig iptables and got these errors:
#~>/sbin/iptables-restore /etc/sysconfig/iptables
iptables-restore v1.2.7a: length invalid: `!40'

Try `iptables-restore -h' or 'iptables-restore --help' for more information.

here are the offending lines created by iptables-save:
#~>iptables-save | grep length
-A CUST_LOG -p tcp -m length --length !40:68 -j LOG --log-prefix 
"PACKET_LENGTH_BAD: " --log-level 7 --log-tcp-options --log-ip-options
-A CUST_LOG -p tcp -m length --length !40:68 -j DROP
#~>

I just did some digging and figured out that the exclamation point 
should go before the --length 40:68.  I guess that's
what iptables-save should really do and clearly it's what narc does when 
it sets up the rule.

No reply necessary.   Thanks for all the work you do!

Gerry

[PATCH] Re: bug in iptables-save/iptables-restore

[Michael Schwendt]

[-- Attachment #1: Type: text/plain, Size: 1653 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 17 Nov 2002 09:23:27 -0600, Gerry Skerbitz wrote:

> I installed narc to build some firewall rules for me, but to fit it in
> well with the RedHat8 installation,
> I wanted to put its rules in /etc/sysconfig/iptables.  I ran
> iptables-save > /etc/sysconfig/iptables
> Then I tried restoring it using
> iptables-restore /etc/sysconfig iptables and got these errors:
> #~>/sbin/iptables-restore /etc/sysconfig/iptables
> iptables-restore v1.2.7a: length invalid: `!40'
> 
> Try `iptables-restore -h' or 'iptables-restore --help' for more
> information.
> 
> here are the offending lines created by iptables-save:
> #~>iptables-save | grep length
> -A CUST_LOG -p tcp -m length --length !40:68 -j LOG --log-prefix 
> "PACKET_LENGTH_BAD: " --log-level 7 --log-tcp-options --log-ip-options
> -A CUST_LOG -p tcp -m length --length !40:68 -j DROP
> #~>
> 
> I just did some digging and figured out that the exclamation point 
> should go before the --length 40:68.  I guess that's
> what iptables-save should really do and clearly it's what narc does
> when it sets up the rule.

It should go before the 40:68, but separated with whitespace,
like: -m length --length ! 40:68

Try attached patch.

This is one of a series of similar "missing white-space" in
iptables-save bugs. At some point in time it seems something
important was changed in the iptables package which broke
several extensions like this.

Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE94Ltw0iMVcrivHFQRAlrLAJ4yfISsZ08ADUYk4kdANahga6hGHACfZhbe
leMNpQUNxPage5pz1GLBzes=
=Xh+Z
-----END PGP SIGNATURE-----

[-- Attachment #2: iptables-1.2.7a-length.patch --]
[-- Type: application/octet-stream, Size: 986 bytes --]

Add missing space between '!' and lengths parameter upon
printing/saving inverted -m --length rule.

diff -Naur iptables-1.2.7a-orig/extensions/libip6t_length.c iptables-1.2.7a/extensions/libip6t_length.c
--- iptables-1.2.7a-orig/extensions/libip6t_length.c	Wed May 29 15:08:16 2002
+++ iptables-1.2.7a/extensions/libip6t_length.c	Sun Nov 24 12:33:30 2002
@@ -114,7 +114,7 @@
 print_length(struct ip6t_length_info *info)
 {
 	if (info->invert)
-		fputc('!', stdout);
+		printf("! ");
 	
 	if (info->max == info->min)
 		printf("%u ", info->min);
diff -Naur iptables-1.2.7a-orig/extensions/libipt_length.c iptables-1.2.7a/extensions/libipt_length.c
--- iptables-1.2.7a-orig/extensions/libipt_length.c	Wed May 29 15:08:16 2002
+++ iptables-1.2.7a/extensions/libipt_length.c	Sun Nov 24 12:33:59 2002
@@ -112,7 +112,7 @@
 print_length(struct ipt_length_info *info)
 {
 	if (info->invert)
-		fputc('!', stdout);
+		printf("! ");
 	
 	if (info->max == info->min)
 		printf("%u ", info->min);

Re: [PATCH] Re: bug in iptables-save/iptables-restore

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 568 bytes --]

On Sun, Nov 24, 2002 at 12:43:44PM +0100, Michael Schwendt wrote:
> It should go before the 40:68, but separated with whitespace,
> like: -m length --length ! 40:68
> 
> Try attached patch.

thanks, patch applied.

> Michael

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: bug in iptables-save/iptables-restore

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1111 bytes --]

On Sun, Nov 17, 2002 at 09:23:27AM -0600, Gerry Skerbitz wrote:
> here are the offending lines created by iptables-save:
> #~>iptables-save | grep length
> -A CUST_LOG -p tcp -m length --length !40:68 -j LOG --log-prefix 
> "PACKET_LENGTH_BAD: " --log-level 7 --log-tcp-options --log-ip-options
> -A CUST_LOG -p tcp -m length --length !40:68 -j DROP
> #~>
> 
> I just did some digging and figured out that the exclamation point 
> should go before the --length 40:68.  I guess that's
> what iptables-save should really do and clearly it's what narc does when 
> it sets up the rule.

there was a bugfix for libipt_length.c, which is in latest CVS.  Could
you try using the latest CVS version (or the latest iptables-snapshot
from ftp.netfilter.org) and see if the bug is gone?

Thanks.

> Gerry

-- 
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: bug in iptables-save/iptables-restore

[Gerry]

Harald,
I grabbed the source from cvs, compiled it -- even though I didn't have 
matching kernel and source :-) and installed it in /usr/local and ran it.


#/home2/gsker/src/iptables/netfilter/userspace>/usr/local/sbin/iptables-save | 
grep length
-A CUST_LOG -p tcp -m length --length ! 40:68 -j LOG --log-prefix 
"PACKET_LENGTH_BAD: " --log-level debug --log-tcp-options --log-ip-options 
-A CUST_LOG -p tcp -m length --length ! 40:68 -j DROP 
#/home2/gsker/src/iptables/netfilter/userspace>
#/home2/gsker/src/iptables/netfilter/userspace>/usr/local/sbin/iptables-save > 
save.out
#/home2/gsker/src/iptables/netfilter/userspace>/usr/local/sbin/iptables-restore 
./save.out

The length problem appears to be fixed! 
Thank you very much!
(it seems really slow, though.....)

Mind you I've just been installing these things from the rpms and will
probably continue to do that. I don't change my firewall very frequently and
manually editing it or sending it through sed is fine just to keep the package 
world fairly clean.

HTH,
Gerry

On Mon, 9 Dec 2002, Harald Welte wrote:

> On Sun, Nov 17, 2002 at 09:23:27AM -0600, Gerry Skerbitz wrote:
> > here are the offending lines created by iptables-save:
> > #~>iptables-save | grep length
> > -A CUST_LOG -p tcp -m length --length !40:68 -j LOG --log-prefix 
> > "PACKET_LENGTH_BAD: " --log-level 7 --log-tcp-options --log-ip-options
> > -A CUST_LOG -p tcp -m length --length !40:68 -j DROP
> > #~>
> > 
> > I just did some digging and figured out that the exclamation point 
> > should go before the --length 40:68.  I guess that's
> > what iptables-save should really do and clearly it's what narc does when 
> > it sets up the rule.
> 
> there was a bugfix for libipt_length.c, which is in latest CVS.  Could
> you try using the latest CVS version (or the latest iptables-snapshot
> from ftp.netfilter.org) and see if the bug is gone?
> 
> Thanks.
> 
> > Gerry
> 
> 

-- 
Gerry Skerbitz
gsker@tcfreenet.org