[pkg-netfilter-team] Bug#921639: iptables-restore: cannot jump to earlier initialized chain
Miquel van Smoorenburg
miquels at debian.org
Thu Feb 7 15:16:21 GMT 2019
Package: iptables
Version: 1.8.2-3
Severity: important
I ran into a bug in iptables-restore. This works:
*filter
:FILERS_UDP - [0:0]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP
-A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump
ACCEPT
COMMIT
And this doesn't:
*filter
:FILERS_UDP - [0:0]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump
ACCEPT
-A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP
COMMIT
# iptables-restore -4 -t < iptables-saved.txt
iptables-restore v1.8.2 (nf_tables):
line 7: RULE_APPEND failed (Invalid argument): rule in chain INPUT
The only difference is where the -A FILERS_UDP line is; if it's before
INPUT it fails, if it's after INPUT it works. That does not make sense.
I ran into this bug on a system that was upgraded from stretch to
buster, with a "ferm" firewall. "ferm" compiles its own language into
iptables-save output and uses iptables-restore to load the rules. When
generating the iptables-save output it sorts the chains alphabetically.
So chains that are referred to in the INPUT chain, that start with a
letter before 'I', result in this bug. Renaming them to something that
starts with a letter that sorts after 'I' made it work. Took me a while
to find the cause :)
Mike.
More information about the pkg-netfilter-team
mailing list