Debian Bug report logs - #682612
/sbin/ip6tables-multi: Cannot restore ip6tables, fails at Commit line

version graph

Package: iptables; Maintainer for iptables is Laurence J. Lane <ljlane@debian.org>; Source for iptables is src:iptables.

Reported by: Bart Dieterman <bartdieterman@gmail.com>

Date: Tue, 24 Jul 2012 08:00:03 UTC

Severity: grave

Tags: ipv6, moreinfo, unreproducible

Found in version iptables/1.4.8-3

Done: Ulrich Dangel <uli@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laurence J. Lane <ljlane@debian.org>:
Bug#682612; Package iptables. (Tue, 24 Jul 2012 08:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bart Dieterman <bartdieterman@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laurence J. Lane <ljlane@debian.org>. (Tue, 24 Jul 2012 08:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bart Dieterman <bartdieterman@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /sbin/ip6tables-multi: Cannot restore ip6tables, fails at Commit line
Date: Tue, 24 Jul 2012 09:34:07 +0200
Package: iptables
Version: 1.4.8-3
Severity: grave
File: /sbin/ip6tables-multi
Tags: security ipv6
Justification: user security hole


I have the following file /etc/ip6tables.firewall.rules

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A FORWARD -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A OUTPUT -m rt --rt-type 0 --rt-segsleft 0 -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
COMMIT

Then I run: 
sudo ip6tables-restore < /etc/ip6tables.firewall.rules
And I get:
ip6tables-restore: line 18 failed

Any idea how to fix this?

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-042stab057.1 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages iptables depends on:
ii  libc6                         2.11.3-3   Embedded GNU C Library: Shared lib
ii  libnfnetlink0                 1.0.0-1    Netfilter netlink library

iptables recommends no packages.

iptables suggests no packages.

-- no debconf information



Removed tag(s) security. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 24 Jul 2012 08:18:05 GMT) Full text and rfc822 format available.

Added tag(s) unreproducible and moreinfo. Request was from Michael Stapelberg <stapelberg@debian.org> to control@bugs.debian.org. (Fri, 03 Aug 2012 16:18:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Laurence J. Lane <ljlane@debian.org>:
Bug#682612; Package iptables. (Fri, 03 Aug 2012 16:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Stapelberg <stapelberg@debian.org>:
Extra info received and forwarded to list. Copy sent to Laurence J. Lane <ljlane@debian.org>. (Fri, 03 Aug 2012 16:24:03 GMT) Full text and rfc822 format available.

Message #14 received at 682612@bugs.debian.org (full text, mbox):

From: Michael Stapelberg <stapelberg@debian.org>
To: Bart Dieterman <bartdieterman@gmail.com>
Cc: 682612@bugs.debian.org
Subject: Re: /sbin/ip6tables-multi: Cannot restore ip6tables, fails at Commit line
Date: Fri, 3 Aug 2012 18:13:42 +0200
Hi Bart,

On Tue, 24 Jul 2012 09:34:07 +0200
Bart Dieterman <bartdieterman@gmail.com> wrote:
> sudo ip6tables-restore < /etc/ip6tables.firewall.rules
> And I get:
> ip6tables-restore: line 18 failed
> [...]
> Kernel: Linux 2.6.32-042stab057.1 (SMP w/1 CPU core)
This kernel version does not exist in Debian. However, there is an
OpenVZ kernel for RHEL with that version number. Therefore, I assume
you are running Debian in an OpenVZ VM and didn’t tell us (please tell
us in the future).

As noted in [1], ip6tables-restore always returns an error in the
COMMIT line. Therefore, it’d be useful to test the basic functionality
of ip6tables-restore first and — in case that even works — narrow down
the problem by inserting many COMMIT statements. Can you please try the
following?

cat <<EOF | sudo ip6tables-restore
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
EOF

Does that work on your machine?

I also setup a VM with kernel 2.6.32-5-amd64 and iptables 1.4.8-3 (same
major versions that you are using). As expected, running
ip6tables-restore with your rules file works just fine. I’m therefore
tagging this bug unreproducible and moreinfo, meaning it will be closed
in a reasonable timeframe in case you don’t reply anymore :).

In [1], womble notes that your OpenVZ provider might have disabled
iptables. I think that’s very likely the cause for your problem.

Best regards,
Michael

[1] http://serverfault.com/questions/101022



Information forwarded to debian-bugs-dist@lists.debian.org, Laurence J. Lane <ljlane@debian.org>:
Bug#682612; Package iptables. (Sat, 08 Sep 2012 12:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ulrich Dangel <uli@debian.org>:
Extra info received and forwarded to list. Copy sent to Laurence J. Lane <ljlane@debian.org>. (Sat, 08 Sep 2012 12:36:05 GMT) Full text and rfc822 format available.

Message #19 received at 682612@bugs.debian.org (full text, mbox):

From: Ulrich Dangel <uli@debian.org>
To: 682612@bugs.debian.org
Cc: Bart Dieterman <bartdieterman@gmail.com>
Subject: Re: Bug#682612: /sbin/ip6tables-multi: Cannot restore ip6tables, fails at Commit line
Date: Sat, 8 Sep 2012 13:23:41 +0100
* Michael Stapelberg wrote [03.08.12 17:13]:
Hi Michael & Bart,
> In [1], womble notes that your OpenVZ provider might have disabled
> iptables. I think that's very likely the cause for your problem.
> [1] http://serverfault.com/questions/101022

I think this bug could be closed as it is probably not a Debian bug and
works for me in Sid as well as Squeeze.

cheers,
Ulrich



Reply sent to Ulrich Dangel <uli@debian.org>:
You have taken responsibility. (Sat, 03 Nov 2012 12:33:04 GMT) Full text and rfc822 format available.

Notification sent to Bart Dieterman <bartdieterman@gmail.com>:
Bug acknowledged by developer. (Sat, 03 Nov 2012 12:33:04 GMT) Full text and rfc822 format available.

Message #24 received at 682612-done@bugs.debian.org (full text, mbox):

From: Ulrich Dangel <uli@debian.org>
To: 682612-done@bugs.debian.org
Subject: Not a bug
Date: Sat, 03 Nov 2012 12:30:27 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am closing this bug as I couldn't reproduce it and it seems to be an
issue with the VM configuration from OPs provider.

cheers from the Dublin BSP,
Ulrich

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQlQ5gAAoJEASq5bOX8aqsV8cP/3Gd7GFA/ql0RTgITN/SBGSv
wE6O78JJ0Tp26z6u9/84jmtmZCk3csWYzJIxJyYBtJ17ZO1uhzMiNpHoMPnPuZue
JhQoAAY+xvkErp16JY3kj3VOCzeRdzIAAN90PvkxyNpBTwpcVbUtnjVqEUCLfX/g
gQlm8Y6ffftoo6MA7e/XKnLz2+o0pUqPg90M3spvCjBeZl78sSM7+GuGPxfe7w81
F7cK/ihddKqNXLA0ICuod0PdJa+tAF91TvxEwMUKvwm9D3rih+IimWJZ8aPQlAy7
O1FqbAeFoT4Cix6zH+gXDLSDcrh4i1uD8DRnyoB0JEQ/mVGvi+Ns0qEWKHpe7Bsd
seN8SJ72Lif7BFAXrGcHx67B7r+hujf8bC6XJIDEs2dvMyoAV4fWDw19I+gT3uUf
yAxaiGRD5TPRLmleODtP/cYFwBd04HrNSuqkXcrXTLfUjgrYx/aqR6j4vbmwAYUn
TedYDGjmfb3HXCrw7UyVzVwznHuHD4Eoa6nuqQZ/mOpZKFKGS1SHO2f8Do3wz8+y
C5Jor8f9ByaAax9+Rbgy20RrQoljac64Vzg/9a8Pdw08vFvLMxY+u5RA0bB855nP
BwSyVvuGX3PHsbcBYKEr5KtBUCUD0b5mKFETB7yBYY8X16NuynlvbspYvdEh+cEp
JIqyqNk70HFPppPDldfq
=ITgk
-----END PGP SIGNATURE-----



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Dec 2012 07:25:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:10:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.