Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1006789: iptables-restore fails unless -v ior -n flag is specified
534 views
Skip to first unread message
timw
Mar 4, 2022, 6:50:03 PM3/4/22
to
Package: iptables
Version: 1.8.7-1
Severity: normal
Tags: ipv6
X-Debbugs-Cc: t...@tee-jay.org.uk
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
As root attempting to restore a trivial tables config from a file written by
iptables-save over a completely flushed table
* What exactly did you do (or not do) that was effective (or
ineffective)?
Ran the following command:
iptables-restore /etc/iptables/rules.v4
* What was the outcome of this action?
The following messages were seen on stdout/stderr:
iptables-restore v1.8.7 (nf_tables):
line 10: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain INPUT
line 10: CHAIN_ADD failed (Device or resource busy): chain FORWARD
line 10: CHAIN_UPDATE failed (Device or resource busy): chain FORWARD
line 10: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain OUTPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
Tables were not populated with any of the contents of the file.
* What outcome did you expect instead?
Tables to be populated with the contents of the file.
Workaround found while troubleshooting is that when running the same command
but with the --verbose flag set the tables are correctly populated with the
contents of the file and the following output on stdout/stderr:
# Generated by iptables-save v1.8.7 on Fri Mar 4 00:51:20 2022
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
# Completed on Fri Mar 4 00:51:20 2022
ip6tables-restore behaves in the same way.
Using --noflush instead of --verbose also works but with tables not flushed
first (this is to be expected).
iptables-restore is linked as follows on this system:
/usr/sbin/iptables-restore
v
/etc/alternatives/iptables-restore
v
/usr/sbin/iptables-nft-restore
v
xtables-nft-multi
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0 (SMP w/1 CPU thread)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages iptables depends on:
ii libc6 2.31-13+deb11u2
ii libip4tc2 1.8.7-1
ii libip6tc2 1.8.7-1
ii libmnl0 1.0.4-3
ii libnetfilter-conntrack3 1.0.8-3
ii libnfnetlink0 1.0.1-3+b1
ii libnftnl11 1.1.9-1
ii libxtables12 1.8.7-1
ii netbase 6.3
Versions of packages iptables recommends:
pn nftables <none>
Versions of packages iptables suggests:
pn firewalld <none>
ii kmod 28-1
-- no debconf information
Version: 1.8.7-1
Severity: normal
Tags: ipv6
X-Debbugs-Cc: t...@tee-jay.org.uk
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
As root attempting to restore a trivial tables config from a file written by
iptables-save over a completely flushed table
* What exactly did you do (or not do) that was effective (or
ineffective)?
Ran the following command:
iptables-restore /etc/iptables/rules.v4
* What was the outcome of this action?
The following messages were seen on stdout/stderr:
iptables-restore v1.8.7 (nf_tables):
line 10: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain INPUT
line 10: CHAIN_ADD failed (Device or resource busy): chain FORWARD
line 10: CHAIN_UPDATE failed (Device or resource busy): chain FORWARD
line 10: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain OUTPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
Tables were not populated with any of the contents of the file.
* What outcome did you expect instead?
Tables to be populated with the contents of the file.
Workaround found while troubleshooting is that when running the same command
but with the --verbose flag set the tables are correctly populated with the
contents of the file and the following output on stdout/stderr:
# Generated by iptables-save v1.8.7 on Fri Mar 4 00:51:20 2022
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
# Completed on Fri Mar 4 00:51:20 2022
ip6tables-restore behaves in the same way.
Using --noflush instead of --verbose also works but with tables not flushed
first (this is to be expected).
iptables-restore is linked as follows on this system:
/usr/sbin/iptables-restore
v
/etc/alternatives/iptables-restore
v
/usr/sbin/iptables-nft-restore
v
xtables-nft-multi
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0 (SMP w/1 CPU thread)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages iptables depends on:
ii libc6 2.31-13+deb11u2
ii libip4tc2 1.8.7-1
ii libip6tc2 1.8.7-1
ii libmnl0 1.0.4-3
ii libnetfilter-conntrack3 1.0.8-3
ii libnfnetlink0 1.0.1-3+b1
ii libnftnl11 1.1.9-1
ii libxtables12 1.8.7-1
ii netbase 6.3
Versions of packages iptables recommends:
pn nftables <none>
Versions of packages iptables suggests:
pn firewalld <none>
ii kmod 28-1
-- no debconf information
0 new messages