Bug#921639: [pkg-netfilter-team] Bug#921639: iptables-restore: cannot jump to earlier initialized chain
On 07/02/2019 17:36, Arturo Borrero Gonzalez wrote: > On 2/7/19 4:16 PM, Miquel van Smoorenburg wrote: >> *filter >> :FILERS_UDP - [0:0] >> :FORWARD ACCEPT [0:0] >> :INPUT ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump >> ACCEPT >> -A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP >> COMMIT > > Please, share your linux kernel version. May be a Linux kernel issue already > solved. This was indeed on an ancient kernel (4.9). I just installed the latest buster using the buster alpha 5 installer in a VM, and re-tested. Indeed, the problem is gone. I'm sorry for bothering you. Thanks! Mike.
Bug#921639: [pkg-netfilter-team] Bug#921639: iptables-restore: cannot jump to earlier initialized chain
On 2/7/19 4:16 PM, Miquel van Smoorenburg wrote: > Package: iptables > Version: 1.8.2-3 > Severity: important > > I ran into a bug in iptables-restore. This works: > > *filter > :FILERS_UDP - [0:0] > :FORWARD ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP > -A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump > ACCEPT > COMMIT > > And this doesn't: > > *filter > :FILERS_UDP - [0:0] > :FORWARD ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump > ACCEPT > -A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP > COMMIT > > Please, share your linux kernel version. May be a Linux kernel issue already solved.
Bug#921639: iptables-restore: cannot jump to earlier initialized chain
Package: iptables Version: 1.8.2-3 Severity: important I ran into a bug in iptables-restore. This works: *filter :FILERS_UDP - [0:0] :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP -A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump ACCEPT COMMIT And this doesn't: *filter :FILERS_UDP - [0:0] :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A FILERS_UDP --protocol udp --dport sunrpc --source 10.0.79.0/27 --jump ACCEPT -A INPUT --protocol udp --source 10.0.0.0/8 --jump FILERS_UDP COMMIT # iptables-restore -4 -t < iptables-saved.txt iptables-restore v1.8.2 (nf_tables): line 7: RULE_APPEND failed (Invalid argument): rule in chain INPUT The only difference is where the -A FILERS_UDP line is; if it's before INPUT it fails, if it's after INPUT it works. That does not make sense. I ran into this bug on a system that was upgraded from stretch to buster, with a "ferm" firewall. "ferm" compiles its own language into iptables-save output and uses iptables-restore to load the rules. When generating the iptables-save output it sorts the chains alphabetically. So chains that are referred to in the INPUT chain, that start with a letter before 'I', result in this bug. Renaming them to something that starts with a letter that sorts after 'I' made it work. Took me a while to find the cause :) Mike.