iptables -Z option

To: debian-user list <debian-user@lists.debian.org>
Subject: iptables -Z option
From: Bonno Bloksma <b.bloksma@tio.nl>
Date: Tue, 9 Feb 2021 15:52:57 +0000
Message-id: <[🔎] AM9PR04MB7682F1766931B53D3A3EF77C9D8E9@AM9PR04MB7682.eurprd04.prod.outlook.com>

Hi,

For years I have had a firewall script the sets and/or resets my firewall rules. Is starts of near the top with some lines that have been there for ever.
After upgrading to buster I got an error executing this script and I cannot find out why. Using the extra echo lines I have been able to pinpoint the error to the iptables -Z line

[...]
IPTABLES=/usr/sbin/iptables
echo flush
# Flush all rules in all chains and then delete all chains
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do $IPTABLES -t $i -F; done
for i in $chains; do $IPTABLES -t $i -X; done
echo counters
# Reset all counters for default chains
$IPTABLES -Z
echo "return traffic"
[...]

This will produce the following output.
flush
counters
iptables v1.8.2 (nf_tables):  RULE_REPLACE failed (Invalid argument): rule in chain INPUT
return traffic

Can anyone tell me why the re reset counter line fails with a reference to the INPUT chain? There is loads of documentation about iptables but nothing about the -Z option.
I have my iptables rules in a separate script that I can test and if I ever shut myself out I can simply restart the machine and the default / previous ruleset will load and all will be up and running again. I'd like to keep that way of setting things up, it makes it easy to test a new set of rules and debug typo's.

Bonno Bloksma

Reply to:

Follow-Ups:
- Re: iptables -Z option
  - From: Will Mengarini <seldon@eskimo.com>

Prev by Date: Re: Any hams here? Is there a program that lets me use a mouse as a CW paddle?
Next by Date: Re: Incorrect password Debian 10.8 after installation
Previous by thread: Re: Allow only selected USB
Next by thread: Re: iptables -Z option
Index(es):
- Date
- Thread