[Bug 1400] "COMMIT expected at line ..." when iptables-restore 1.8.4 (nft) parses stdin with empty lines

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Jan 22 16:25:05 CET 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1400

--- Comment #1 from jamie at strandboge.com ---
In looking to find a workaround for ufw to workaround this bug, I found that in
addition to blank lines in the middle of the policy causing
iptables-nft-restore to cause an error (the original report), a blank line
outside of the policy causes iptables-nft-restore to silently ignore the policy
but return a successful error code. Eg:

$ cat /tmp/pol
# this next blank line causes the file to not load

*filter
# comment
-A INPUT -j ACCEPT
COMMIT
$

Calling iptables-nft-restore on the policy file itself works fine:

$ sudo iptables-nft-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           


$ sudo iptables-nft -D INPUT -j ACCEPT  # remove the test rule
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination


But reading the file on stdin results in a successful return code but no rule
added:

$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination


This is a regression over 1.8.2 where it works correctly:

$ cat /tmp/pol
# this next blank line causes the file to not load

*filter
# comment
-A INPUT -j ACCEPT
COMMIT
$

$ sudo iptables-nft-restore /tmp/pol && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

$ sudo iptables-nft -D INPUT -j ACCEPT  # remove the test rule
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

$ cat /tmp/pol | sudo iptables-nft-restore -n && echo yes
yes
$ sudo iptables-nft -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200122/47b9ea00/attachment.html>

More information about the netfilter-buglog mailing list