iptables 1.4.8's iptables and iptables-restore give a warning[1] and its iptables-save writes the negation correctly. The ip6 variants do too. A package installation warning for wheezy sounds reasonable.
[1] Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`). On Sun, Feb 16, 2014 at 9:32 PM, Leandro Adamson <leandro.adam...@gmail.com> wrote: > Package: iptables > Version: 1.4.14-3.1 > Severity: grave > Tags: security > Justification: user security hole > X-Debbugs-Cc: t...@security.debian.org, > secure-testing-t...@lists.alioth.debian.org > > After a squeeze -> wheezy upgrade, iptables refuses to load rules that > worked in squeeze and were generated using squeeze's iptables-save. > > The result is that after the upgrade the entire iptables system is > broken, leaving the machine completely open to the network. It is a > mostly silent failure, and the admin would only discover it by > reviewing startup logs or portscanning the machine. There are no > notifications of the incompatible change during the upgrade and it's > not even documented in either of the changelogs. > > The specific syntax change to rules was: > > squeeze: -d !123.123.123.123 > wheezy: ! -d 123.123.123.123 > > where -d could be any of a number of flags that accept negative > arguments. Because iptables-restore uses an all-or-nothing approach, > having even one rule with the incompatible syntax will prevent all > rules from being loaded. > > If an upgrade breaks existing rules in a way that will cause > iptables-restore to fail, there should be a VERY prominent warning > during the upgrade. I'd say that about almost any package, but for > one as security-critical as iptables to break silently after a routine > upgrade really seems to fall below Debian's quality standards. > > To fill in a bit of relevant information, Debian's iptables package > doesn't include a method of automatically saving or restoring rules on > shutdown/boot. That means this bug could manifest itself in a number > of ways depending on how the admin has configured the save/restore > process. The simplest and possibly most common method would be to use > /etc/rc.local or an /etc/init.d script to run iptables-restore. In > any case the restore would certainly be done automatically on boot in > order to secure the network as soon as possible. If the admin had set > up an automatic iptables-save during shutdown they may have avoided > this bug by happenstance since the rules would be saved by wheezy's > iptables-save before the next reboot. However automatically saving > rules may not be common, and the iptables-persistent package in Debian > only auto-restores and does not auto-save. > > > -- System Information: > Debian Release: 7.4 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: i386 (i686) > > Kernel: Linux 2.6.32-5-686-bigmem (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages iptables depends on: > ii libc6 2.13-38+deb7u1 > ii libnfnetlink0 1.0.0-1.1 > > iptables recommends no packages. > > iptables suggests no packages. > > -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
