iptables-restore v1.4.14: Bad ctstate "-m" # helper value ftp service

[b0rh]

Using default rule for ftp services, when apply the rule change, vuurmuur show a warning message, and it crash completely when restart the service.

I solved the problem editing the helper value in the ftp services rule for one empty value.

For more info, show the follow extracts of error log, and the problematic iptables rule.

/tmp/vuurmuur-wgTEpL.failed < line 42 >

. . -A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 -d 176.XX.XX.XX/255.255.255.255 -m helper --helper "ftp" -m conntrack --ctstate -m connmark --mark 0 -j CONNMARK --set-mark 1 . .

/var/log/vuurmuur/error.log

07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): command '/sbin/iptables-restore --counters --noflush < /tmp/vuurmuur-wgTEpL 2>> /tmp/vuurmuur-load-result-lCvVfX' failed. 07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): loading the ruleset failed (in: ruleset_load_ruleset:1228). 07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): rulesetfile will be stored as '/tmp/vuurmuur-wgTEpL.failed' (in: load_ruleset_ipv4:1717). 07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): loading ruleset result: 'iptables-restore v1.4.14: Bad ctstate "-m"'. 07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): loading ruleset result: 'Error occurred at line: 42'. 07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): loading ruleset result: 'Try `iptables-restore -h' or 'iptables-restore --help' for more information.'. 07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): creating rules failed. 07/05/2013 18:25:08 : PID 3502 : vuurmuur : Error (-1): applying changes failed.

[Victor Julien]

The rule looks correct on first glance. Maybe the ftp helper is not present on your system? Will have figure out a way to determine it's presence before loading the ruleset.

[belba]

I have the same Problem. For me it seems that after the --ctstate option a NEW, RELATED, ESTABLISHED or INVALID state missed.

If I correct the rulsetfile in the /tmp/ directory in this terms, I can load the whole ruleset without errors.

/var/log/vuurmuur/error.log:

10/14/2013 18:42:37 : PID 9729 : vuurmuur : Error (-1): command '/sbin/iptables-restore --counters --noflush < /tmp/vuurmuur-k41IKe 2>> /tmp/vuurmuur-load-result-Bhu7Ki' failed. 10/14/2013 18:42:37 : PID 9729 : vuurmuur : Error (-1): loading the ruleset failed (in: ruleset_load_ruleset:1228). 10/14/2013 18:42:37 : PID 9729 : vuurmuur : Error (-1): rulesetfile will be stored as '/tmp/vuurmuur-k41IKe.failed' (in: load_ruleset_ipv4:1717). 10/14/2013 18:42:37 : PID 9729 : vuurmuur : Error (-1): loading ruleset result: 'iptables-restore v1.4.12: Bad ctstate "-m"'. 10/14/2013 18:42:37 : PID 9729 : vuurmuur : Error (-1): loading ruleset result: 'Error occurred at line: 34'. 10/14/2013 18:42:37 : PID 9729 : vuurmuur : Error (-1): loading ruleset result: 'Try `iptables-restore -h' or 'iptables-restore --help' for more information.'. 10/14/2013 18:42:37 : PID 9729 : vuurmuur : Error (-1): creating rules failed.

the broken ruleset in /tmp/:

-A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 -m helper --helper "ftp" -m conntrack --ctstate -m connmark --mark 0 -j CONNMARK --set-mark 1

the working ruleset in /tmp/:

-A INPUT -i eth0 -p tcp -m tcp --syn -s 0.0.0.0/0.0.0.0 -m helper --helper ftp -m conntrack --ctstate RELATED -m connmark --mark 0 -j CONNMARK --set-mark 1

[Victor Julien]

Looks like this is related to #144 and is fixed in ​https://github.com/inliniac/vuurmuur/commit/5470aa449e883073a0243041a4e6b4c435291df7

Any chance you can try the git master?

[belba]

It seems that this fix the problem. I'm enable to test it on a fresh new system. Is it possible to release a rc2 ?

[Victor Julien]

Thanks for testing. I have no ETA yet for rc2. I'll release it when I find the time.

[belba]

OK Thankyou

[fdp.fdp]

I confirm this bug, it seems solved in the SVN repo