Bug#737593: /usr/sbin/iptables-apply: does not rollback on iptables-restore error

Mon, 03 Feb 2014 20:10:18 -0800 

Package: iptables
Version: 1.4.14-3.1
Severity: normal
File: /usr/sbin/iptables-apply
Tags: patch

Dear Maintainer,

I was using iptables-apply on a new ruleset with an error (trying to use 
more than 16 ports on a -m multiport --dports line, as it happens).
The old and new rulesets both include two COMMITs (with two tables).

When I ran sudo iptables-apply /etc/iptables/rules.v4.pending, I got 
errors including the following errors:
  Applying new ruleset...
  failed
  E: unknown error applying new iptables ruleset.

What I did NOT get (which I expected to) is a revert to the previous ruleset.

This meant that iptables was left in a state with only the first table 
(ruleset up to the first COMMIT) active, which in my case was not very 
functional (having a revert to a previous ruleset would have been a lot 
better).

You should be able to reproduce this behaviour (iptables-apply does not 
revert to previous ruleset when the new ruleset gives an error on restore)
with a ruleset containing two tables (could be *filter and *filter, or 
*filter and *nat) in a single file, with a commit for each table, and
a syntax error in the second table (for example more than 16 ports on 
a --dports line, or a misspelled port name).

My suggested patch to iptables-apply is


--- /usr/sbin/iptables-apply    2012-05-27 02:44:33.000000000 +1000
+++ /tmp/iptables-apply 2014-02-04 11:41:54.307670214 +1100
@@ -141,6 +141,9 @@
 if ! "$RESTORE" <"$FILE"; then
        echo "failed."
        echo "E: unknown error applying new iptables ruleset." >&2
+       echo -n "Reverting to old ruleset... "
+       "$RESTORE" <"$TMPFILE";
+       echo done.
        exit 5
 else
        echo done.

 

-- System Information:
Debian Release: 7.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iptables depends on:
ii  libc6          2.13-38
ii  libnfnetlink0  1.0.0-1.1

iptables recommends no packages.

iptables suggests no packages.

-- no debconf information

--- /usr/sbin/iptables-apply	2012-05-27 02:44:33.000000000 +1000
+++ /tmp/iptables-apply	2014-02-04 11:41:54.307670214 +1100
@@ -141,6 +141,9 @@
 if ! "$RESTORE" <"$FILE"; then
 	echo "failed."
 	echo "E: unknown error applying new iptables ruleset." >&2
+	echo -n "Reverting to old ruleset... "
+	"$RESTORE" <"$TMPFILE";
+	echo done.
 	exit 5
 else
 	echo done.

Reply via email to