RHBA-2009:1414 - Bug Fix Advisory

Topic

Updated iptables packages that fix several bugs and add an enhancement are
now available.

Description

The iptables utility controls the network packet filtering code in the
Linux kernel.

These updated iptables packages provide the following enhancement:

• while its IPv4 counterpart was present, the Differentiated Services Code

Point (DSCP) match target for IPv6 was missing. Two new modules, one for
iptables and a separate one for the Linux kernel, now enable this
functionality.

Note: along with this iptables update, the kernel update for Red Hat
Enterprise Linux 5.4 must be installed, and the system must be rebooted, in
order to enable Differentiated Services Code Point (DSCP) match target
functionality for IPv6. (BZ#480371)

In addition, these updated iptables packages provide fixes for the
following bugs:

• the init scripts for iptables and ip6tables sometimes exited with

incorrect or invalid exit statuses. (BZ#242457)

• the Internet Control Message Protocol (ICMP) '--reject-with' types did

not always work as expected. This has been fixed in these updated packages.
(BZ#253014)

• the iptables-restore(8) man page did not contain descriptions of some of

the options that were listed in the program's help information. These
information sources for the utility's options have now been synchronized.
(BZ#474847)

• the "ROUTE" section of the iptables(8) man page contained misleading

information on certain features that do not exist in the iptables packages.
(BZ#485834)

• the iptables-devel package did not include certain header files, which

are now included in the updated package. (BZ#487649)

• the spec file contained a typo on the the Release line. (BZ#440622)

Users are advised to upgrade to these updated iptables packages, which
resolve these issues and add this enhancement.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 242457 - Wrong init script
• BZ - 253014 - ip6tables/libip6t_REJECT.so --reject-with option sends wrong ICMP6 packet types
• BZ - 402281 - Missing "/usr/include/libiptc/libiptc.h" in iptables-devel
• BZ - 440622 - there should be %{?dist} instead of %{dist} in the *.spec on the Release: line
• BZ - 474847 - iptables-restore manpage out of date/lacking information
• BZ - 487649 - iptables-devel package missing some header files

CVEs

(none)

References

(none)