#4123 iptables comment bug - Debian, 1.590

Jamie Cameron
Jonathan Rudolph

My config: using '--comment option' and directly editing firewall rules instead of a save file.
Adding a comment works when the comment is 1 word only.
Using multiple words causes the comment to be added as '--comment'.
For instance, I created 2 rules, commented the first with 'Loopback' and the second with "Whitelisted IPs", and here are the results:
-A INPUT -i lo -m comment --comment Loopback -j ACCEPT
-A INPUT -m comment --comment --comment -j White-IP
After this happens, the mangled 'double --comment' comments are not shown in the UI, and the rule cannot be edited again in the UI.
I end up having to 'iptables-save > tmp', then edit the tmp file, then 'iptables-restore < tmp' to fix the problems.


  • Jamie Cameron
    Jamie Cameron

    Do you see this save bug if updating an IPtables save filed, instead of editing rules directly?

  • Jamie Cameron
    Jamie Cameron

    BTW, when editing live rules with Webmin 1.590 on CentOS 6.3, I wasn't able to reproduce this issue.

    When you entered the command, did you enter any " or ' character?

  • When using a save file, the comment gets added properly for that entry, in a different order on the line:
    -A INPUT -m comment -j White-IP --comment "Whitelisted IPs"
    However, when doing it that way, it ruins the rest of the file by creating 'blank' comments that aren't compatible with 'iptables-restore' :
    iptables-restore v1.4.14: option "--comment" requires an argument
    The line causing that error is the one right after the White-IP chain:
    -A INPUT -m comment -j Black-IP --comment

  • I never used any quoting characters, just ASCII letters and spaces from an American qwerty 104-key keyboard.

  • Jamie Cameron
    Jamie Cameron

    So editing a rule causes the *previous* rule to get a --comment flag with no value? Did you perhaps create a comment that contained only spaces? Because I just noticed that Webmin doesn't handle that case properly..