<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - "Bad argument `ACCEPT'" when iptables-restore (nft) parses stdin"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1394">1394</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>"Bad argument `ACCEPT'" when iptables-restore (nft) parses stdin

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946289

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>iptables-restore

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>jamie@strandboge.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>In Debian, a user reported that ufw (a frontend to iptables) was not working:

<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946289">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946289</a>

After investigating, this turned out to be an issue with iptables-nft-restore

(recall that in Debian there are both the nft and the legacy commands that

users may choose). Here is a simple reproducer on Debian with 1.8.4-1:

Create some simple policy:

$ cat /tmp/pol

*filter

# builtin chains

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

With 1.8.2-4 on buster:

$ cat /tmp/pol | sudo /usr/sbin/iptables-legacy-restore -n

$ cat /tmp/pol | sudo /usr/sbin/iptables-nft-restore -n

$

With 1.8.4-1 on sid:

$ cat /tmp/pol | sudo /usr/sbin/iptables-legacy-restore -n

$ cat /tmp/pol | sudo /usr/sbin/iptables-nft-restore -n

Bad argument `ACCEPT'

Error occurred at line: 4

Try `iptables-nft-restore -h' or 'iptables-nft-restore --help' for more

information.

but everything seems fine when parsing the file directly:

$ sudo /usr/sbin/iptables-legacy-restore /tmp/pol

$ sudo /usr/sbin/iptables-nft-restore /tmp/pol

$

The reporter in the bug claimed that downgrading to 1.8.3 allowed things to

work again, so it appears that this was introduced in 1.8.4.

I see that parsing behavior changed in

<a href="https://git.netfilter.org/iptables/commit/?h=v1.8.4&id=a7a6062f8ffe789703a6b4397c08dfb0c20a3009">https://git.netfilter.org/iptables/commit/?h=v1.8.4&id=a7a6062f8ffe789703a6b4397c08dfb0c20a3009</a>,

but I did not perform a bisect to determine it as the cause for the regression.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>