Package: iptables Version: 1.8.4-3 Severity: normal Dear Maintainer,
Wanting to validate changes in a file previously created by iptables-save, I experienced a segmentation fault with the iptables-restore command. It appears that the error doesn't come from the changes in the file, but from the iptables-nft-restore binary. Steps to reproduce: 1. Create a file with 3 tables (any of filter, nat, mangle, raw and security): # cat > ruleset <<EOF *filter COMMIT *nat COMMIT *raw COMMIT EOF 2. Test the file # iptables-nft-restore --test ruleset Segmentation fault Alternatively, this can be tested by piping iptables-save output into iptables-restore: # iptables-save | iptables-restore (no error reported) # iptables-save | iptables-restore --test Segmentation fault Note that the error does NOT occur when at least one of these conditions is met: - iptables-legacy is the current alternative for iptables - the input file has 1 or 2 tables - the '--table' option is used Even if the command itself is still usable, this unexpected segfault makes the '--test' option totally unreliable, and probably unreliable for both nft and legacy commands, as they're currently not called as themselves, but behind the iptables-restore alternative, for which the --test option may or may not work. Thank you, quidame -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iptables depends on: ii libc6 2.30-4 ii libip4tc2 1.8.4-3 ii libip6tc2 1.8.4-3 ii libmnl0 1.0.4-3 ii libnetfilter-conntrack3 1.0.8-1 ii libnfnetlink0 1.0.1-3+b1 ii libnftnl11 1.1.6-1 ii libxtables12 1.8.4-3 ii netbase 6.1 Versions of packages iptables recommends: pn nftables <none> Versions of packages iptables suggests: pn firewalld <none> ii kmod 27+20200310-2 -- no debconf information
