Followup experiments isolating the custom sub-chain are showing even worse behaviour from the new iptables (-nft flavour).
These commands iptables -N test-foo iptables -I test-foo 1 -s 127.0.0.1 -j REJECT Produces this output: iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument): rule in chain test-foo And this absurd syslog message: x_tables: ip_tables: REJECT target: used from hooks FORWARD, but only usable from INPUT/FORWARD/OUTPUT For anyone else encountering issues from the new packages these commands: update-alternatives --config iptables update-alternatives --config ip6tables to manually override the automatic package default with the '-legacy' flavour is required to restore proper behaviour. AYJ
