[pkg-netfilter-team] Bug#912610: iptables/ip6tables -Z <chain> doesn't work with nf_tables variety of iptables

Jamie Strandboge jamie at ubuntu.com
Thu Nov 1 20:48:24 GMT 2018 

Package: iptables
Version: 1.8.1-2
Severity: normal

Dear Maintainer,

I am the maintainer of ufw in Debian and received bug report #911986 with a
preliminary analysis here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911986#35

In short, the nf_tables variety of iptables differs in how it handles -Z for
user defined chains. Eg:

With legacy:
$ sudo iptables-legacy --version
iptables v1.8.1 (legacy)

$ sudo iptables-legacy -N foo

$ sudo iptables-legacy -L foo
Chain foo (0 references)
target     prot opt source               destination

$ sudo iptables-legacy -Z foo

$ sudo iptables-legacy -X foo


And with nf_tables:
$ sudo iptables --version
iptables v1.8.1 (nf_tables)

$ sudo iptables -N foo

$ sudo iptables -L foo
Chain foo (0 references)
target     prot opt source               destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them

$ sudo iptables -Z foo   # REGRESSION ???
iptables v1.8.1 (nf_tables):  (null) failed (Operation not supported): chain foo

$ sudo iptables -X foo


I tested with ip6tables and ip6tables-legacy and -Z is not supported by
ip6tables either, where it is in ip6tables-legacy.

The man page for iptables states that -Z is supported (the man page is
unchanged from 1.6 wrt -Z).

Can you advise if this is indeed a regression in 1.8 or is it intended
behavior? If intended behavior, I'll need to update ufw accordingly
(preliminary testing shows it seems otherwise to work ok with the nf_tables
variety of iptables).

Thanks!

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iptables depends on:
ii  libc6                    2.27-8
ii  libip4tc0                1.8.1-2
ii  libip6tc0                1.8.1-2
ii  libiptc0                 1.8.1-2
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl7                1.1.1-1
ii  libxtables12             1.8.1-2

iptables recommends no packages.

Versions of packages iptables suggests:
ii  kmod  25-1

-- no debconf information

More information about the pkg-netfilter-team mailing list