[pkg-netfilter-team] Bug#949518: ufw: does not work with iptables-restore 1.8.4-2 (blank line in file)
Jamie Strandboge
jamie at strandboge.com
Wed Jan 22 16:02:28 GMT 2020
On Tue, 21 Jan 2020, Paul Aurich wrote:
> Package: ufw
> Version: 0.36-1
> Severity: grave
> Justification: renders package unusable
>
> ufw fails to start with iptables 1.8.4-2, even after #946289 is fixed.
> Downgrading to iptables 1.8.3-2 fixes this. iptables-restore
> (iptables-nft-restore) can no longer handle blank lines in the restored file.
Thank you for the report. I can confirm this regression in iptables
1.8.4 and have filed https://bugzilla.netfilter.org/show_bug.cgi?id=1400
upstream.
There are two cases (outlined in the upstream bug) that is causing ufw
trouble when using iptables-nft-restore with stdin:
Policy of the form:
$ cat /tmp/blank-with-policy
*filter
# comment
-A INPUT -j ACCEPT
COMMIT
$
and of the form:
$ cat /tmp/blank-outside-of-policy
# this next blank line causes the file to not load
*filter
# comment
-A INPUT -j ACCEPT
COMMIT
$
The former results in iptables-nft-restore erroring out and the latter
results in iptables-nft-restore exiting with a 0 return code but not
adding the policy.
Tested with 1.8.4-2. Downgrading to 1.8.3 resolves the issue[1]. As an
alternative to downgrading, until this bug is resolved, users may also
use iptables-legacy via:
$ sudo update-alternatives --config iptables
$ sudo update-alternatives --config ip6tables
[1] obtain iptables, libip4tc2, libip6tc2, libiptc0 and libxtables12 from
http://snapshot.debian.org/package/iptables/1.8.3-2/
--
Email: jamie at strandboge.com
IRC: jdstrand
More information about the pkg-netfilter-team
mailing list