View Issue Details

IDProjectCategoryView StatusLast Update
0001388Rocky-Linux-9iptablespublic2023-11-21 22:06
ReporterWayne Johnson Assigned ToLouis Abel  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
Platformx86_64OSRocky LinuxOS Version9.1
Summary0001388: iptables no longer accepts --source=network/mask
Descriptioniptables in CentOS 7.x, Rocky 8.* and Rocky 9.0 accept long options using --name=value syntax, for example:

    iptables -A INPUT --source=10.224.0.0/27 -j ACCEPT

However the same on Rocky 9.1 produces error:

   iptables-restore v1.8.8 (nf_tables): host/network `--source=10.224.0.0' not found

Replacing the '=' with a whitespace works.

Is it really the intention to no longer allow --name=value syntax, or is this a regression?

We have an automated process which produces iptables rules using the '=' syntax.
TagsNo tags attached.

Activities

Louis Abel

Louis Abel

2022-12-12 06:07

administrator   ~0001750

`man 8 iptables` on CentOS 7, Rocky Linux 8, Rocky Linux 9 state:

       [!] -s, --source address[/mask][,...]
              Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames
              will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote
              query such as DNS is a really bad idea. The mask can be either an ipv4 network mask (for iptables) or a plain number, specifying the number
              of 1's at the left side of the network mask. Thus, an iptables mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address
              specification inverts the sense of the address. The flag --src is an alias for this option. Multiple addresses can be specified, but this
              will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).

This shows that "=" is likely not expected. Can you present examples or official documentation that shows that `--source=x.x.x.x` should work? If you can, then this may be a bug to report upstream.

Note that even if this is an upstream regression, iptables is considered legacy; all iptables commands use the nf_tables backend instead of the legacy backend. As such, it may be unlikely it will be fixed.
Louis Abel

Louis Abel

2023-11-21 22:06

administrator   ~0005190

Closing due to: 9.1 being out of support, 9.3 has been released, iptables is considered legacy.

If this is still an issue, please open a new bug report for Rocky Linux 9.3.

Issue History

Date Modified Username Field Change
2022-12-11 21:05 Wayne Johnson New Issue
2022-12-12 06:07 Louis Abel Assigned To => Louis Abel
2022-12-12 06:07 Louis Abel Status new => needinfo
2022-12-12 06:07 Louis Abel Note Added: 0001750
2023-11-21 22:06 Louis Abel Status needinfo => closed
2023-11-21 22:06 Louis Abel Resolution open => no change required
2023-11-21 22:06 Louis Abel Note Added: 0005190