Control: tag -1 unreproducible On Fri, 16 Nov 2018 23:20:02 +1300 Amos Jeffries <squ...@treenet.co.nz> wrote: > Followup experiments isolating the custom sub-chain are showing even > worse behaviour from the new iptables (-nft flavour). > > These commands > > iptables -N test-foo > iptables -I test-foo 1 -s 127.0.0.1 -j REJECT > > Produces this output: > > iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument): > rule in chain test-foo > > > And this absurd syslog message: > > x_tables: ip_tables: REJECT target: used from hooks FORWARD, but only > usable from INPUT/FORWARD/OUTPUT > > >
Upstream reports that this does work on other systems. Which kernel are you running? Mine is: arturo@endurance:~ $ uname -r 4.18.0-2-amd64 This is my local test: arturo@endurance:~ $ sudo iptables-nft -N test-foo arturo@endurance:~ $ sudo iptables-nft -I test-foo 1 -s 127.0.0.1 -j REJECT arturo@endurance:~ $ sudo iptables-nft-save # Generated by xtables-save v1.8.2 on Fri Nov 16 12:40:51 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :test-foo - [0:0] -A test-foo -s 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Fri Nov 16 12:40:51 2018 Closing bug now, feel free to reopen if required. Thanks for reporting.
