touch-packages team mailing list archive

Thread
Date

[Bug 899200] Re: iptables-save fails to store network prefix length in dump

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Rolf Leggewie <899200@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jun 2015 11:41:51 -0000
Reply-to: Bug 899200 <899200@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".

** Changed in: iptables (Ubuntu Lucid)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/899200

Title:
  iptables-save fails to store network prefix length in dump

Status in iptables package in Ubuntu:
  Fix Released
Status in iptables source package in Lucid:
  Won't Fix
Status in iptables source package in Precise:
  Fix Released

Bug description:
  With kernel 2.6.32-35-generic and lucid iptables iptables-save does
  not save the real iptables entries currently active in nat table, at
  least the conntrack match entries  --ctorigdst with network are
  corrupted.

  From my opinion, this should have only mild security implications and
  might only be observed on machines with paranoid rulesets, as
  conntrack in nat might not be a common usecase. As soon as broken
  source code was found, impact on other rules should be reevaluated.

  In worst case, this bug might lead to service interruption (our case)
  or bypass of access restrictions when restoring rules exported with
  broken "iptables-save"

  How to detect:

  iptables -t nat -A POSTROUTING -p tcp -m conntrack --ctorigdst 192.168.0.0/24 -j SNAT --to-source 192.168.1.1
  # iptables-save -t nat | grep POSTR
  :POSTROUTING ACCEPT [87:5264]
  -A POSTROUTING -p tcp -m conntrack --ctorigdst 192.168.0.0 -j SNAT --to-source 192.168.1.1

  As one can see, the network prefix in the ctorigdst was lost during
  save, so rule is not the same after save, restore will restore broken
  rule.

  On kernel version 2.6.38-12-generic and Ubuntu oneiric iptables,
  everything works as expected, so bug must already be fixed in oneiric.

  Bug on lucid:

  # lsb_release -rd
  Description:    Ubuntu 10.04.3 LTS
  Release:        10.04

  # apt-cache policy iptables
  iptables:
    Installed: 1.4.4-2ubuntu2
    Candidate: 1.4.4-2ubuntu2
    Version table:
   *** 1.4.4-2ubuntu2 0
          500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/899200/+subscriptions