* iptables 1.8.10 translate error
@ 2024-09-28 4:12 imnozi
2024-09-28 8:58 ` Florian Westphal
0 siblings, 1 reply; 4+ messages in thread
From: imnozi @ 2024-09-28 4:12 UTC (permalink / raw)
To: netfilter-devel
In iptables v1.8.10, iptables-translate has a small parse error; it doesn't like log prefix that has a trailing space:
----------------
[root@kvm64-62 sbin]# iptables-save|grep -- "^-.*LOG" |while read a; do echo -e "\n$a"; iptables-translate $a;done
-A invdrop -j LOG --log-prefix "Denied-by-mangle:invdrop "
Bad argument `"'
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
-A INPUT -j LOG --log-prefix "Denied-by-filter:INPUT "
Bad argument `"'
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
-A FORWARD -j LOG --log-prefix "Denied-by-filter:FORWARD "
Bad argument `"'
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
-A lldrop -j LOG --log-prefix "Denied-by-filter:lldrop "
Bad argument `"'
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
-A restrict_remote -j LOG --log-prefix "Denied-by-filter:rstr_rem "
Bad argument `"'
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
-A tndrop -j LOG --log-prefix "Denied-by-filter:tndrop "
Bad argument `"'
Try `iptables-translate -h' or 'iptables-translate --help' for more information.
[root@kvm64-62 sbin]#
----------------
It accepts the rest of the 345 rules without complaint.
Neal
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables 1.8.10 translate error
2024-09-28 4:12 iptables 1.8.10 translate error imnozi
@ 2024-09-28 8:58 ` Florian Westphal
2024-09-28 12:27 ` imnozi
0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2024-09-28 8:58 UTC (permalink / raw)
To: imnozi; +Cc: netfilter-devel
imnozi@gmail.com <imnozi@gmail.com> wrote:
> In iptables v1.8.10, iptables-translate has a small parse error; it doesn't like log prefix that has a trailing space:
> [root@kvm64-62 sbin]# iptables-save|grep -- "^-.*LOG" |while read a; do echo -e "\n$a"; iptables-translate $a;done
>
> -A invdrop -j LOG --log-prefix "Denied-by-mangle:invdrop "
> Bad argument `"'
Thats because iptables doesn't support it either:
iptables -A INPUT -j LOG --log-prefix \"Denied-by-filter:rstr_rem \"
Bad argument `"'
This works with iptables -A ... because shell removes the "" before
passing it on to iptables, so you could amend your script to use
bash -c "iptables -A ...".
or, simpler yet, try:
iptables-save | iptables-restore-translate -f /dev/stdin
This should work.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables 1.8.10 translate error
2024-09-28 8:58 ` Florian Westphal
@ 2024-09-28 12:27 ` imnozi
2024-09-28 18:39 ` Phil Sutter
0 siblings, 1 reply; 4+ messages in thread
From: imnozi @ 2024-09-28 12:27 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Ah. Does iptables now auto-insert a space between the prefix and the message? 1.6.0 didn't, which is why I added those spaces years ago.
But then, how does iptables-translate grouse about the '"' being a bad arg if the shell strips the quotes out?
I suppose I could try putting a naked "\ " at the end of the prefix; maybe that would work.
N
On Sat, 28 Sep 2024 10:58:51 +0200
Florian Westphal <fw@strlen.de> wrote:
> imnozi@gmail.com <imnozi@gmail.com> wrote:
> > In iptables v1.8.10, iptables-translate has a small parse error; it doesn't like log prefix that has a trailing space:
>
> > [root@kvm64-62 sbin]# iptables-save|grep -- "^-.*LOG" |while read a; do echo -e "\n$a"; iptables-translate $a;done
> >
> > -A invdrop -j LOG --log-prefix "Denied-by-mangle:invdrop "
> > Bad argument `"'
>
> Thats because iptables doesn't support it either:
>
> iptables -A INPUT -j LOG --log-prefix \"Denied-by-filter:rstr_rem \"
> Bad argument `"'
>
> This works with iptables -A ... because shell removes the "" before
> passing it on to iptables, so you could amend your script to use
> bash -c "iptables -A ...".
>
> or, simpler yet, try:
>
> iptables-save | iptables-restore-translate -f /dev/stdin
>
> This should work.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: iptables 1.8.10 translate error
2024-09-28 12:27 ` imnozi
@ 2024-09-28 18:39 ` Phil Sutter
0 siblings, 0 replies; 4+ messages in thread
From: Phil Sutter @ 2024-09-28 18:39 UTC (permalink / raw)
To: imnozi; +Cc: Florian Westphal, netfilter-devel
On Sat, Sep 28, 2024 at 08:27:13AM -0400, imnozi@gmail.com wrote:
> Ah. Does iptables now auto-insert a space between the prefix and the message? 1.6.0 didn't, which is why I added those spaces years ago.
>
> But then, how does iptables-translate grouse about the '"' being a bad arg if the shell strips the quotes out?
It's the other way round: You're capturing the quotes in $a so the shell
will pass them to the command after expanding the variable reference.
[...]
> > > [root@kvm64-62 sbin]# iptables-save|grep -- "^-.*LOG" |while read a; do echo -e "\n$a"; iptables-translate $a;done
Your test-script is simply broken. Instead of 'iptables-translate $a',
call 'eval "iptables-translate $a"' and everything's fine. You did not
try calling iptables-translate with given parameters manually, did you?
Please keep in mind that the first step after writing a test script is
to debug the test script itself.
Cheers, Phil
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-09-28 18:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-28 4:12 iptables 1.8.10 translate error imnozi
2024-09-28 8:58 ` Florian Westphal
2024-09-28 12:27 ` imnozi
2024-09-28 18:39 ` Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).