[pkg-netfilter-team] Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
Arturo Borrero Gonzalez
arturo at debian.org
Fri Nov 16 11:43:43 GMT 2018
Control: tag -1 unreproducible
On Fri, 16 Nov 2018 23:20:02 +1300 Amos Jeffries <squid3 at treenet.co.nz>
wrote:
> Followup experiments isolating the custom sub-chain are showing even
> worse behaviour from the new iptables (-nft flavour).
>
> These commands
>
> iptables -N test-foo
> iptables -I test-foo 1 -s 127.0.0.1 -j REJECT
>
> Produces this output:
>
> iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument):
> rule in chain test-foo
>
>
> And this absurd syslog message:
>
> x_tables: ip_tables: REJECT target: used from hooks FORWARD, but only
> usable from INPUT/FORWARD/OUTPUT
>
>
>
Upstream reports that this does work on other systems.
Which kernel are you running? Mine is:
arturo at endurance:~ $ uname -r
4.18.0-2-amd64
This is my local test:
arturo at endurance:~ $ sudo iptables-nft -N test-foo
arturo at endurance:~ $ sudo iptables-nft -I test-foo 1 -s 127.0.0.1 -j REJECT
arturo at endurance:~ $ sudo iptables-nft-save
# Generated by xtables-save v1.8.2 on Fri Nov 16 12:40:51 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:test-foo - [0:0]
-A test-foo -s 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Nov 16 12:40:51 2018
Closing bug now, feel free to reopen if required. Thanks for reporting.
More information about the pkg-netfilter-team
mailing list