[pkg-netfilter-team] Bug#1006789: iptables-restore fails unless -v ior -n flag is specified

timw tim at tee-jay.org.uk
Fri Mar 4 23:42:49 GMT 2022 

Package: iptables
Version: 1.8.7-1
Severity: normal
Tags: ipv6
X-Debbugs-Cc: tim at tee-jay.org.uk

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
As root attempting to restore a trivial tables config from a file written by 
iptables-save over a completely flushed table

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
Ran the following command:
iptables-restore /etc/iptables/rules.v4

   * What was the outcome of this action?
The following messages were seen on stdout/stderr:
iptables-restore v1.8.7 (nf_tables): 
line 10: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain INPUT
line 10: CHAIN_ADD failed (Device or resource busy): chain FORWARD
line 10: CHAIN_UPDATE failed (Device or resource busy): chain FORWARD
line 10: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain OUTPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
Tables were not populated with any of the contents of the file.

   * What outcome did you expect instead?
Tables to be populated with the contents of the file.


Workaround found while troubleshooting is that when running the same command 
but with the --verbose flag set the tables are correctly populated with the
contents of the file and the following output on stdout/stderr:
# Generated by iptables-save v1.8.7 on Fri Mar  4 00:51:20 2022
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
# Completed on Fri Mar  4 00:51:20 2022

ip6tables-restore behaves in the same way. 

Using --noflush instead of --verbose also works but with tables not flushed
first (this is to be expected).


iptables-restore is linked as follows on this system:

/usr/sbin/iptables-restore
          v
/etc/alternatives/iptables-restore
          v
/usr/sbin/iptables-nft-restore
          v
xtables-nft-multi
      

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0 (SMP w/1 CPU thread)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages iptables depends on:
ii  libc6                    2.31-13+deb11u2
ii  libip4tc2                1.8.7-1
ii  libip6tc2                1.8.7-1
ii  libmnl0                  1.0.4-3
ii  libnetfilter-conntrack3  1.0.8-3
ii  libnfnetlink0            1.0.1-3+b1
ii  libnftnl11               1.1.9-1
ii  libxtables12             1.8.7-1
ii  netbase                  6.3

Versions of packages iptables recommends:
pn  nftables  <none>

Versions of packages iptables suggests:
pn  firewalld  <none>
ii  kmod       28-1

-- no debconf information

More information about the pkg-netfilter-team mailing list