[pkg-netfilter-team] Bug#913742: ip6tables-save produces broken syntax, unable to load them
Stefan Bühler
stefan.buehler at tik.uni-stuttgart.de
Wed Nov 14 15:46:40 GMT 2018
Package: iptables
Version: 1.8.1-2
Severity: grave
Tags: security
Reproduce with:
# ip6tables -A INPUT ! -s ::1
# ip6tables-save | ip6tables-restore
Bad argument `!-s'
Error occurred at line: 6
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
# ip6tables-save
# Generated by xtables-save v1.8.1 on Wed Nov 14 16:42:42 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT !-s ::1/128
COMMIT
# Completed on Wed Nov 14 16:42:42 2018
It should export "! -s", i.e. one space after "!", and one space less
before "!"
Systems trying to load previously saved rules on boot will not be able
to load those rules, and may be either unreachable (if they set a strict
policy before) or completely open.
--
Stefan Bühler Mail/xmpp: stefan.buehler at tik.uni-stuttgart.de
Netze und Kommunikationssysteme der Universität Stuttgart (NKS)
https://www.tik.uni-stuttgart.de/ Telefon: +49 711 685 60854
More information about the pkg-netfilter-team
mailing list