[Touch-packages] [Bug 1738403] [NEW] iptables-save duplicates libvirt rules

Fri, 15 Dec 2017 05:01:17 -0800 

Public bug reported:

Ubuntu 17.10
iptables 1.6.1-2ubuntu1

Before "iptables-save > /etc/iptables/rules.v4"
-----------------------------------------------
# cat iptables/rules.v4 | grep virbr0 | sort | uniq -c
     14 -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
     14 -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
     14 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
     14 -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
     14 -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
     14 -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
     14 -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
     14 -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
     14 -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
     14 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
     33 -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM 
--checksum-fill
      1 -A ufw-user-input -i virbr0 -j ACCEPT
      1 -A ufw-user-output -o virbr0 -j ACCEPT

After "iptables-save > /etc/iptables/rules.v4"
----------------------------------------------
# cat iptables/rules.v4 | grep virbr0 | sort | uniq -c
     15 -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
     15 -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
     15 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
     15 -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
     15 -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
     15 -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
     15 -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
     15 -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
     15 -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
     15 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
     34 -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM 
--checksum-fill
      1 -A ufw-user-input -i virbr0 -j ACCEPT
      1 -A ufw-user-output -o virbr0 -j ACCEPT

It looks like iptables-save is confused by virbrn entries and duplicates
them each time it is run.

** Affects: iptables (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1738403

Title:
  iptables-save duplicates libvirt rules

Status in iptables package in Ubuntu:
  New

Bug description:
  Ubuntu 17.10
  iptables 1.6.1-2ubuntu1

  Before "iptables-save > /etc/iptables/rules.v4"
  -----------------------------------------------
  # cat iptables/rules.v4 | grep virbr0 | sort | uniq -c
       14 -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
       14 -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
       14 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
       14 -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
       14 -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
       14 -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
       14 -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
       14 -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
       14 -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
       14 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
       33 -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM 
--checksum-fill
        1 -A ufw-user-input -i virbr0 -j ACCEPT
        1 -A ufw-user-output -o virbr0 -j ACCEPT

  After "iptables-save > /etc/iptables/rules.v4"
  ----------------------------------------------
  # cat iptables/rules.v4 | grep virbr0 | sort | uniq -c
       15 -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
       15 -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
       15 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
       15 -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
       15 -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
       15 -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
       15 -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
       15 -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
       15 -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
       15 -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
       34 -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM 
--checksum-fill
        1 -A ufw-user-input -i virbr0 -j ACCEPT
        1 -A ufw-user-output -o virbr0 -j ACCEPT

  It looks like iptables-save is confused by virbrn entries and
  duplicates them each time it is run.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1738403/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to