[Bug 1400] "COMMIT expected at line ..." when iptables-restore 1.8.4 (nft) parses stdin with empty lines
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Jan 22 16:25:05 CET 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1400
--- Comment #1 from jamie at strandboge.com ---
In looking to find a workaround for ufw to workaround this bug, I found that in
addition to blank lines in the middle of the policy causing
iptables-nft-restore to cause an error (the original report), a blank line
outside of the policy causes iptables-nft-restore to silently ignore the policy
but return a successful error code. Eg:
$ cat /tmp/pol
# this next blank line causes the file to not load
*filter
# comment
-A INPUT -j ACCEPT
COMMIT
$
Calling iptables-nft-restore on the policy file itself works fine:
$ sudo iptables-nft-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
$ sudo iptables-nft -D INPUT -j ACCEPT # remove the test rule
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
But reading the file on stdin results in a successful return code but no rule
added:
$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
This is a regression over 1.8.2 where it works correctly:
$ cat /tmp/pol
# this next blank line causes the file to not load
*filter
# comment
-A INPUT -j ACCEPT
COMMIT
$
$ sudo iptables-nft-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
$ sudo iptables-nft -D INPUT -j ACCEPT # remove the test rule
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200122/47b9ea00/attachment.html>
More information about the netfilter-buglog
mailing list