On Tue, 21 Jan 2020, Paul Aurich wrote: > Package: ufw > Version: 0.36-1 > Severity: grave > Justification: renders package unusable > > ufw fails to start with iptables 1.8.4-2, even after #946289 is fixed. > Downgrading to iptables 1.8.3-2 fixes this. iptables-restore > (iptables-nft-restore) can no longer handle blank lines in the restored file.
Thank you for the report. I can confirm this regression in iptables 1.8.4 and have filed https://bugzilla.netfilter.org/show_bug.cgi?id=1400 upstream. There are two cases (outlined in the upstream bug) that is causing ufw trouble when using iptables-nft-restore with stdin: Policy of the form: $ cat /tmp/blank-with-policy *filter # comment -A INPUT -j ACCEPT COMMIT $ and of the form: $ cat /tmp/blank-outside-of-policy # this next blank line causes the file to not load *filter # comment -A INPUT -j ACCEPT COMMIT $ The former results in iptables-nft-restore erroring out and the latter results in iptables-nft-restore exiting with a 0 return code but not adding the policy. Tested with 1.8.4-2. Downgrading to 1.8.3 resolves the issue[1]. As an alternative to downgrading, until this bug is resolved, users may also use iptables-legacy via: $ sudo update-alternatives --config iptables $ sudo update-alternatives --config ip6tables [1] obtain iptables, libip4tc2, libip6tc2, libiptc0 and libxtables12 from http://snapshot.debian.org/package/iptables/1.8.3-2/ -- Email: ja...@strandboge.com IRC: jdstrand
