<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - "COMMIT expected at line ..." when iptables-restore 1.8.4 (nft) parses stdin with empty lines"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1400">1400</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>"COMMIT expected at line ..." when iptables-restore 1.8.4 (nft) parses stdin with empty lines
</td>
</tr>
<tr>
<th>Product</th>
<td>iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>URL</th>
<td>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949518
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>iptables-restore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>jamie@strandboge.com
</td>
</tr>
<tr>
<th>CC</th>
<td>arturo@netfilter.org
</td>
</tr></table>
<p>
<div>
<pre>In Debian, a user reported that ufw (a frontend to iptables) was not working:
<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949518">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949518</a>
After investigating, this is a new issue with iptables-nft-restore in 1.8.4
(with
<a href="https://git.netfilter.org/iptables/commit/?id=a103fbfadf4c17b8b12caa57eef72deaaa71a18c">https://git.netfilter.org/iptables/commit/?id=a103fbfadf4c17b8b12caa57eef72deaaa71a18c</a>
to fix <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - "Bad argument `ACCEPT'" when iptables-restore 1.8.4 (nft) parses stdin"
href="show_bug.cgi?id=1394">https://bugzilla.netfilter.org/show_bug.cgi?id=1394</a> applied) when
parsing policy files on stdin which contain empty lines.
Create some simple policy:
$ cat /tmp/pol
*filter
# comment
-A INPUT -j ACCEPT
COMMIT
$
With 1.8.2-4 on Debian buster, processing the file directly and on stdin are
both fine with iptables-legacy-restore and iptables-nft-restore:
$ sudo iptables-legacy-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft-restore /tmp/pol && echo yes
yes
$ cat /tmp/pol | sudo iptables-legacy-restore -n && echo yes
yes
$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
yes
With 1.8.4-2 (it has the fix for <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - "Bad argument `ACCEPT'" when iptables-restore 1.8.4 (nft) parses stdin"
href="show_bug.cgi?id=1394">bug#1394</a>) on sid, when processing the file
directly, it is fine:
$ sudo iptables-legacy-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft-restore /tmp/pol && echo yes
yes
But processing on stdin fails with iptables-nft-restore:
$ cat /tmp/pol | sudo iptables-legacy-restore -n && echo yes
yes
$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
iptables-nft-restore: COMMIT expected at line 4</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>