[pkg-netfilter-team] Bug#951102: iptables-restore empty line not accepted any more (regression)
halfdog
me at halfdog.net
Tue Feb 11 06:00:59 GMT 2020
Package: iptables
Version: 1.8.4-2
Severity: grave
Tags: security
After upgrading from "1.8.3-2", iptables-restore handles empty
lines differently and does not restore the rules. Thus old rulesets
stored with save and then annotated for better readability (to
avoid loads of "iptables -A" calls), do not load any more.
As firewall data is ignored, this might break network access
to machines or have unknown security impact on the current firewall
ruleset.
# iptables-restore --noflush <<EOF
> *nat
>
> -A POSTROUTING -s 10.0.0.0/16 -o usb0 -j SNAT --to-source 192.168.0.1
> COMMIT
> *filter
>
> -A INPUT -p tcp -m tcp --dport 22 -j DROP
> COMMIT
> EOF
iptables-restore: COMMIT expected at line 2
# iptables-restore --noflush <<EOF
> *nat
> -A POSTROUTING -s 10.0.0.0/16 -o usb0 -j SNAT --to-source 192.168.0.1
> COMMIT
> *filter
>
> -A INPUT -p tcp -m tcp --dport 22 -j DROP
> COMMIT
> EOF
iptables-restore: COMMIT expected at line 5
More information about the pkg-netfilter-team
mailing list