View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001388||Rocky-Linux-9||iptables||public||2022-12-11 21:05||2022-12-12 06:07|
|Reporter||Wayne Johnson||Assigned To||Louis Abel|
|Platform||x86_64||OS||Rocky Linux||OS Version||9.1|
|Summary||0001388: iptables no longer accepts --source=network/mask|
|Description||iptables in CentOS 7.x, Rocky 8.* and Rocky 9.0 accept long options using --name=value syntax, for example:|
iptables -A INPUT --source=10.224.0.0/27 -j ACCEPT
However the same on Rocky 9.1 produces error:
iptables-restore v1.8.8 (nf_tables): host/network `--source=10.224.0.0' not found
Replacing the '=' with a whitespace works.
Is it really the intention to no longer allow --name=value syntax, or is this a regression?
We have an automated process which produces iptables rules using the '=' syntax.
|Tags||No tags attached.|
`man 8 iptables` on CentOS 7, Rocky Linux 8, Rocky Linux 9 state:
[!] -s, --source address[/mask][,...]
Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames
will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote
query such as DNS is a really bad idea. The mask can be either an ipv4 network mask (for iptables) or a plain number, specifying the number
of 1's at the left side of the network mask. Thus, an iptables mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address
specification inverts the sense of the address. The flag --src is an alias for this option. Multiple addresses can be specified, but this
will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).
This shows that "=" is likely not expected. Can you present examples or official documentation that shows that `--source=x.x.x.x` should work? If you can, then this may be a bug to report upstream.
Note that even if this is an upstream regression, iptables is considered legacy; all iptables commands use the nf_tables backend instead of the legacy backend. As such, it may be unlikely it will be fixed.