[pkg-netfilter-team] Bug#929976: /usr/sbin/xtables-nft-multi: ebtables-nft-restore errors with -o option on chains which ebtables-legacy-restore accepts

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Jun 4 17:53:55 BST 2019 

Package: iptables
Version: 1.8.2-4
Severity: important
File: /usr/sbin/xtables-nft-multi

Dear Maintainer,

When using the '-o' / '--out-interface' option I get a regression
between legacy ebtables and new nft backed ebtables.

E.g., using the following rules:

# cat ebtables-fwd-no-o-options-allowed.rules
*filter
:PVEFW-FORWARD ACCEPT
:PVEFW-FWBR-OUT ACCEPT
-A PVEFW-FORWARD -p IPv4 -j ACCEPT
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
-A FORWARD -j PVEFW-FORWARD

Which are as is looking a bit useless, so it should be stated that this
is only the boilerplate for triggering this regression, we insert rules
for vitrual machine and Linux containers here, those are omitted to keep
the trigger more minimal.

I can successfully restoring those ebtables under Stretch or using the
legacy ebtables, e.g., by doing:
# cat ebtables-fwd-no-o-options-allowed.rules |  ebtables-legacy-restore

But using the new nft backed command I get the following error:
# cat ebtables-fwd-no-o-options-allowed.rules |  ebtables-nft-restore
Use -o only in OUTPUT, FORWARD and POSTROUTING chains.

While the man page talks about the option being useful in combination
with the by the errorr mentioned chains, it does not states that it's
forbidden to use it with others, also the behaviour the legacy tool
shows supports this:

> -o, --out-interface [!] name
>       The interface (bridge port) via which a frame  is  going  to  be
>       sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
>       ING chains). If the interface name ends with '+', then  any  in‐
>       terface  name that begins with this name (disregarding '+') will
>       match.  The flag --out-if is an alias for this option.
-- man ebtables-legacy

I tested also with the 1.8.3-1~exp1 release of iptables currently in
experimental, same behaviour here.

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.0.8-050008-generic (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iptables depends on:
ii  libc6                    2.28-10
ii  libip4tc0                1.8.2-4
ii  libip6tc0                1.8.2-4
ii  libiptc0                 1.8.2-4
ii  libmnl0                  1.0.4-2
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.2-2
ii  libxtables12             1.8.2-4

Versions of packages iptables recommends:
ii  nftables  0.9.0-2

Versions of packages iptables suggests:
ii  kmod  26-1

-- no debconf information

More information about the pkg-netfilter-team mailing list