[Bug 1400] New: "COMMIT expected at line ..." when iptables-restore 1.8.4 (nft) parses stdin with empty lines

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Jan 21 22:49:35 CET 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1400

            Bug ID: 1400
           Summary: "COMMIT expected at line ..." when iptables-restore
                    1.8.4 (nft) parses stdin with empty lines
           Product: iptables
           Version: unspecified
          Hardware: x86_64
               URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=9495
                    18
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables-restore
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: jamie at strandboge.com
                CC: arturo at netfilter.org

In Debian, a user reported that ufw (a frontend to iptables) was not working:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949518

After investigating, this is a new issue with iptables-nft-restore in 1.8.4
(with
https://git.netfilter.org/iptables/commit/?id=a103fbfadf4c17b8b12caa57eef72deaaa71a18c
to fix https://bugzilla.netfilter.org/show_bug.cgi?id=1394 applied) when
parsing policy files on stdin which contain empty lines. 


Create some simple policy:

$ cat /tmp/pol
*filter
# comment
-A INPUT -j ACCEPT

COMMIT
$

With 1.8.2-4 on Debian buster, processing the file directly and on stdin are
both fine with iptables-legacy-restore and iptables-nft-restore:

$ sudo iptables-legacy-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft-restore /tmp/pol && echo yes
yes

$ cat /tmp/pol | sudo iptables-legacy-restore -n && echo yes
yes
$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
yes


With 1.8.4-2 (it has the fix for bug#1394) on sid, when processing the file
directly, it is fine:

$ sudo iptables-legacy-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft-restore /tmp/pol && echo yes
yes


But processing on stdin fails with iptables-nft-restore:

$ cat /tmp/pol | sudo iptables-legacy-restore -n && echo yes
yes
$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
iptables-nft-restore: COMMIT expected at line 4

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200121/fc2b047c/attachment.html>

More information about the netfilter-buglog mailing list