Bug#921639: marked as done (iptables-restore: cannot jump to earlier initialized chain)

Sat, 16 Feb 2019 14:47:41 -0800 

Your message dated Sat, 16 Feb 2019 23:40:12 +0100
with message-id 
<ca+fnjvah31wm8o9a8wl7mx_cynzos3zaix5k8b6wh8dpp7z...@mail.gmail.com>
and subject line Re: iptables-restore: cannot jump to earlier initialized chain
has caused the Debian Bug report #921639,
regarding iptables-restore: cannot jump to earlier initialized chain
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
921639: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921639
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: iptables
Version: 1.8.2-3
Severity: important

I ran into a bug in iptables-restore. This works:

*filter
:FILERS_UDP - [0:0]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP
-A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump
ACCEPT
COMMIT

And this doesn't:

*filter
:FILERS_UDP - [0:0]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump
ACCEPT
-A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP
COMMIT


# iptables-restore -4 -t < iptables-saved.txt
iptables-restore v1.8.2 (nf_tables):
line 7: RULE_APPEND failed (Invalid argument): rule in chain INPUT

The only difference is where the -A FILERS_UDP line is; if it's before
INPUT it fails, if it's after INPUT it works. That does not make sense.

I ran into this bug on a system that was upgraded from stretch to
buster, with a "ferm" firewall. "ferm" compiles its own language into
iptables-save output and uses iptables-restore to load the rules. When
generating the iptables-save output it sorts the chains alphabetically.
So chains that are referred to in the INPUT chain, that start with a
letter before 'I', result in this bug. Renaming them to something that
starts with a letter that sorts after 'I' made it work. Took me a while
to find the cause :)

Mike.

--- End Message ---
--- Begin Message --- 
 Fixed as per previous comment.

--- End Message ---

Reply via email to