Skip Menu |

This queue is for tickets about the IPTables-Parse CPAN distribution.

Report information
The Basics
Id: 67372
Status: resolved
Priority: 0/
Queue: IPTables-Parse
People
Owner: Nobody in particular
Requestors: bass.warrior [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sun Apr 10 14:47:22 2011 bass.warrior [...] gmail.com - Ticket created
Subject: chain_rules not setting state
Date: Sun, 10 Apr 2011 13:47:13 -0500
To: bug-IPTables-Parse [...] rt.cpan.org
From: Jeff Largent <bass.warrior [...] gmail.com>
IPTables::Parse version 0.7 Tested on both Fedora 13 and 14 output from iptables-save -A CUSTOM -i lo -j ACCEPT -A CUSTOM -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A CUSTOM -j DROP test script #!/usr/bin/perl use warnings; use strict; use IPTables::Parse; use Data::Dump qw/dump/; my %opts = ('iptables' => '/sbin/iptables', 'debug' => 1, 'verbose' => 1); my $ipt_obj = new IPTables::Parse(%opts); my $chain_ref = $ipt_obj->chain_rules("filter", "CUSTOM"); print dump($chain_ref); print "\n"; Expected results: The second rule uses state so I would expect {'filter'} to be set in, but it is not. Thank you, Jeff Largent -- When injustice becomes law, Resistance becomes DUTY. T. Jefferson
  Mon Apr 11 11:22:56 2011 bass.warrior [...] gmail.com - Correspondence added
From: bass.warrior [...] gmail.com
On Sun Apr 10 14:47:22 2011, bass.warrior@gmail.com wrote: Show quoted text
> IPTables::Parse version 0.7 > Tested on both Fedora 13 and 14 > > output from iptables-save > > -A CUSTOM -i lo -j ACCEPT > -A CUSTOM -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT > -A CUSTOM -j DROP > > test script > > #!/usr/bin/perl > > use warnings; > use strict; > use IPTables::Parse; > use Data::Dump qw/dump/; > > my %opts = ('iptables' => '/sbin/iptables', > 'debug' => 1, > 'verbose' => 1); > my $ipt_obj = new IPTables::Parse(%opts); > > my $chain_ref = $ipt_obj->chain_rules("filter", "CUSTOM"); > > print dump($chain_ref); > print "\n"; > > Expected results: > The second rule uses state so I would expect {'filter'} to be set in, but > it is not. > > Thank you, > Jeff Largent > > >
  Mon Apr 11 11:46:33 2011 bass.warrior [...] gmail.com - Correspondence added
From: bass.warrior [...] gmail.com
Doing some more testing on this: Fedora 14 Iptables version 1.4.9 IPTables::Parse version 0.7 installed from Fedora repository perl-IPTables-Parse-0.7- 6.fc14.noarch.rpm I modified the Parse.pm and added a Data::Dump right before the return just to see what the module was seeing. using the following rules # Generated by iptables-save v1.4.9 on Mon Apr 11 10:36:36 2011 *nat :PREROUTING ACCEPT [227300:55357302] :OUTPUT ACCEPT [8416:1100980] :POSTROUTING ACCEPT [8416:1100980] COMMIT # Completed on Mon Apr 11 10:36:36 2011 # Generated by iptables-save v1.4.9 on Mon Apr 11 10:36:36 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2019:8636337] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Apr 11 10:36:36 2011 dump Dump ( { bytes => "3634M", d_port => "0:0", dport => "0:0", dst => "0.0.0.0/0", extended => "state RELATED,ESTABLISHED ", intf_in => "*", intf_out => "*", packets => "6226K", proto => "all", protocol => "all", raw => "6226K 3634M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ", s_port => "0:0", sport => "0:0", src => "0.0.0.0/0", state => "", target => "ACCEPT", to_ip => "", to_port => "", }, { bytes => "1537K", d_port => "", dport => "", dst => "0.0.0.0/0", extended => "", intf_in => "*", intf_out => "*", packets => 20856, proto => "icmp", protocol => "icmp", raw => "20856 1537K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ", s_port => "", sport => "", src => "0.0.0.0/0", state => "", target => "ACCEPT", to_ip => "", to_port => "", }, { bytes => 7376, d_port => "0:0", dport => "0:0", dst => "0.0.0.0/0", extended => "", intf_in => "lo", intf_out => "*", packets => 119, proto => "all", protocol => "all", raw => " 119 7376 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 ", s_port => "0:0", sport => "0:0", src => "0.0.0.0/0", state => "", target => "ACCEPT", to_ip => "", to_port => "", }, { bytes => 252, d_port => 22, dport => 22, dst => "0.0.0.0/0", extended => "state NEW tcp dpt:22 ", intf_in => "*", intf_out => "*", packets => 4, proto => "tcp", protocol => "tcp", raw => " 4 252 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ", s_port => "0:0", sport => "0:0", src => "0.0.0.0/0", state => "RELATED,ESTABLISHED", target => "ACCEPT", to_ip => "", to_port => "", }, { bytes => "75M", d_port => "0:0", dport => "0:0", dst => "0.0.0.0/0", extended => "reject-with icmp-host-prohibited ", intf_in => "*", intf_out => "*", packets => "585K", proto => "all", protocol => "all", raw => " 585K 75M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ", s_port => "0:0", sport => "0:0", src => "0.0.0.0/0", state => "", target => "REJECT", to_ip => "", to_port => "", }, ) It sets state to RELATED,ESTABLISHED when state is NEW and to "" when the state should of been RELATED,ESTABLISHED.
  Wed Apr 20 09:23:45 2011 SSIMON [...] cpan.org - Correspondence added
Simple patch to set "state" for all rules with extended ruleset. The upstream version sets the state for next rule and even not all the time.
Subject: IPTables-Parse-0.7-state.patch
--- /usr/lib/perl5/site_perl/5.8.8/IPTables/Parse.pm 2008-10-17 23:59:45.000000000 -0400 +++ /usr/lib/perl5/site_perl/5.8.8/IPTables/Parse.pm 2011-04-15 14:31:27.000000000 -0400 @@ -97,7 +97,6 @@ ### array of hash refs my @chain = (); - my @global_accept_state = (); if ($file) { ### read the iptables rules out of $file instead of executing @@ -201,37 +200,9 @@ $rule{'to_ip'} = $1; $rule{'to_port'} = $2; } - - for my $state_hr (@global_accept_state) { - next unless $state_hr->{'src'} eq '0.0.0.0/0'; - next unless $state_hr->{'dst'} eq '0.0.0.0/0'; - next unless $state_hr->{'proto'} eq 'all' or - $state_hr->{'proto'} = $rule{'proto'}; - next unless $state_hr->{'intf_in'} eq '*' or - $state_hr->{'intf_in'} eq $rule{'intf_in'}; - next unless $state_hr->{'intf_out'} eq '*' or - $state_hr->{'intf_out'} eq $rule{'intf_out'}; - ### if we make it here, then the state rule - ### applies to this rule - $rule{'state'} = $state_hr->{'state'}; - } } - if ($rule{'target'} eq 'ACCEPT' - and $rule{'extended'} =~ m|^state\s+(\S+)|) { - my $state_str = $1; - if ($state_str =~ /ESTABLISHED/ - or $state_str =~ /RELATED/) { - - push @global_accept_state, { - 'state' => $state_str, - 'src' => $rule{'src'}, - 'dst' => $rule{'dst'}, - 'intf_in' => $rule{'intf_in'}, - 'intf_out' => $rule{'intf_out'}, - 'proto' => $rule{'protocol'} - }; - my %state_hash = (); - } + if ($rule{'extended'} =~ /^state\s+(\S+)/) { + $rule{'state'} = $1; } } }
  Wed Apr 20 09:23:46 2011 The RT System itself - Status changed from 'new' to 'open'
  Sun Feb 26 21:24:46 2012 michael.rash [...] gmail.com - Correspondence added
Thanks for reporting this issue. It has been resolved in IPTables::Parse 0.9 (just uploaded to CPAN). Incidentally, IPTables::Parse is now being tracked by git: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=IPTables-Parse.git;a=summary Here is the specific change that resolves this bug: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=IPTables-Parse.git;a=blobdiff;f=lib/IPTables/Parse.pm;h=d24340b14beb12a476474b2bbd95f03bc2c369df;hp=3494cf42ddd006e5fde00b3a6d76d6b058a04405;hb=77c2593de728ee16678447eb94a978fca4dbb397;hpb=844cd8a65d966a64ad86da0ddeee29f6526b177b -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271
  Sun Feb 26 21:24:47 2012 michael.rash [...] gmail.com - Status changed from 'open' to 'resolved'