Package: iptables Version: 1.8.2-3 Severity: important I ran into a bug in iptables-restore. This works:
*filter :FILERS_UDP - [0:0] :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP -A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump ACCEPT COMMIT And this doesn't: *filter :FILERS_UDP - [0:0] :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump ACCEPT -A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP COMMIT # iptables-restore -4 -t < iptables-saved.txt iptables-restore v1.8.2 (nf_tables): line 7: RULE_APPEND failed (Invalid argument): rule in chain INPUT The only difference is where the -A FILERS_UDP line is; if it's before INPUT it fails, if it's after INPUT it works. That does not make sense. I ran into this bug on a system that was upgraded from stretch to buster, with a "ferm" firewall. "ferm" compiles its own language into iptables-save output and uses iptables-restore to load the rules. When generating the iptables-save output it sorts the chains alphabetically. So chains that are referred to in the INPUT chain, that start with a letter before 'I', result in this bug. Renaming them to something that starts with a letter that sorts after 'I' made it work. Took me a while to find the cause :) Mike.
