#1006789 iptables-restore fails unless -v ior -n flag is specified

Package:
iptables
Source:
iptables
Description:
administration tools for packet filtering and NAT
Submitter:
timw
Date:
2022-03-04 23:45:04 UTC
Severity:
normal
Tags:
#1006789#5
Date:
2022-03-04 23:42:49 UTC
From:
To:
Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
As root attempting to restore a trivial tables config from a file written by
iptables-save over a completely flushed table

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
Ran the following command:
iptables-restore /etc/iptables/rules.v4

   * What was the outcome of this action?
The following messages were seen on stdout/stderr:
iptables-restore v1.8.7 (nf_tables):
line 10: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain INPUT
line 10: CHAIN_ADD failed (Device or resource busy): chain FORWARD
line 10: CHAIN_UPDATE failed (Device or resource busy): chain FORWARD
line 10: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 10: CHAIN_UPDATE failed (Device or resource busy): chain OUTPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
line 10: RULE_APPEND failed (No such file or directory): rule in chain INPUT
Tables were not populated with any of the contents of the file.

   * What outcome did you expect instead?
Tables to be populated with the contents of the file.


Workaround found while troubleshooting is that when running the same command
but with the --verbose flag set the tables are correctly populated with the
contents of the file and the following output on stdout/stderr:
# Generated by iptables-save v1.8.7 on Fri Mar  4 00:51:20 2022
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
# Completed on Fri Mar  4 00:51:20 2022

ip6tables-restore behaves in the same way.

Using --noflush instead of --verbose also works but with tables not flushed
first (this is to be expected).


iptables-restore is linked as follows on this system:

/usr/sbin/iptables-restore
          v
/etc/alternatives/iptables-restore
          v
/usr/sbin/iptables-nft-restore
          v
xtables-nft-multi


*** End of the template - remove these template lines ***