From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric White <eric.white@ionpipe.com>
Subject: "bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo
 2.6.16)
Date: Wed, 24 May 2006 18:39:48 -0500
Message-ID: <4474EEC4.4070909@ionpipe.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-bounces@lists.netfilter.org>
List-Id: <netfilter.vger.kernel.org>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: </pipermail/netfilter>
List-Post: <mailto:netfilter@lists.netfilter.org>
List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
Sender: netfilter-bounces@lists.netfilter.org
Errors-To: netfilter-bounces@lists.netfilter.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: netfilter@lists.netfilter.org

I've got ~930 rules with which I'd like to initialize via 
iptables-restore.  The file includes rules for nat, filter and mangle 
tables. I've got iptables v1.3.4 running on a Gentoo 2.6.16 kernel, with 
some of my own, in-progress extensions (hence the '-m devset' specifiers).

At the first COMMIT, I get an error:

Bad argument 'COMMIT'
Error occurred at line: 209

I've cut the main file into 3 different files (filter, nat, mangle) and 
get the same results at each file's 'COMMIT'.  I'm including the filter 
list below (since it's relatively small), hoping someone can give it a 
quick glance and note my mistakes.

thanks

=======================


#Filter table
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-N :A:Svc:ABD
-N :X:Abd:Clients:General:Ulog
-N :X:Abd:Clients:Darkspace:Ulog
-N :X:Abd:Clients:PrivAddr:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:General:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:Darkspace:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:PrivAddr:Ulog
-N :A:Global
-A :A:Global -p tcp ! --syn -m state --state NEW -j DROP
-A :A:Global -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
-A :A:Global -p tcp --tcp-flags ALL NONE -j DROP
-A :A:Global -s 224.0.0.0/4 -j DROP
-A :A:Global -s 127.0.0.0/8 -j DROP
-N :A:Node:Server
-N :A:Nodes
-N :M:X:ToServer
-N :M:Nodes
-N :M:X:FromServer
-N :D:Global
-N :D:Node:Server
-N :D:Nodes
-A INPUT -j :A:Global
-A OUTPUT -j :A:Global
-A FORWARD -j :A:Global
-A INPUT -j :A:Nodes
-A OUTPUT -j :A:Node:Server
-A FORWARD -j :A:Nodes
-A INPUT -j :M:X:ToServer
-A FORWARD -j :M:Nodes
-A OUTPUT -j :M:X:FromServer
-A INPUT -j :D:Global
-A OUTPUT -j :D:Global
-A FORWARD -j :D:Global
-A INPUT -j :D:Node:Server
-A OUTPUT -j :D:Nodes
-A FORWARD -j :D:Nodes
-N :A:Q:Clients
-N :A:Node:Clients
-A :A:Q:Clients -m devset --set-name 2 --device in -j :A:Node:Clients
-A :A:Nodes -j :A:Q:Clients
-N :D:Q:Clients
-N :D:Node:Clients
-A :D:Q:Clients -m devset --set-name 2 --device out -j :D:Node:Clients
-A :D:Nodes -j :D:Q:Clients
-N :M:Q:Clients
-N :M:X:Clients
-A :M:Q:Clients -m devset --set-name 2 --device in -j :M:X:Clients
-A :M:Nodes -j :M:Q:Clients
-N :M:Q:Clients:Server
-N :M:X:Clients:Server
-A :M:Q:Clients:Server -m devset --set-name 2 --device in -j 
:M:X:Clients:Server
-A :M:X:ToServer -j :M:Q:Clients:Server
-N :M:Q:Clients:Clients
-N :M:X:Clients:Clients
-A :M:Q:Clients:Clients -m devset --set-name 2 --device out -j 
:M:X:Clients:Clients
-A :M:X:Clients -j :M:Q:Clients:Clients
-N :M:Q:Server:Clients
-N :M:X:Server:Clients
-A :M:Q:Server:Clients -m devset --set-name 2 --device out -j 
:M:X:Server:Clients
-A :M:X:FromServer -j :M:Q:Server:Clients
-A :A:Node:Clients -j :A:Svc:ABD
-N :A:Q:WAN
-N :A:Node:WAN
-A :A:Q:WAN -m devset --set-name 3 --device in -j :A:Node:WAN
-A :A:Nodes -j :A:Q:WAN
-N :D:Q:WAN
-N :D:Node:WAN
-A :D:Q:WAN -m devset --set-name 3 --device out -j :D:Node:WAN
-A :D:Nodes -j :D:Q:WAN
-N :M:Q:WAN
-N :M:X:WAN
-A :M:Q:WAN -m devset --set-name 3 --device in -j :M:X:WAN
-A :M:Nodes -j :M:Q:WAN
-N :M:Q:WAN:Server
-N :M:X:WAN:Server
-A :M:Q:WAN:Server -m devset --set-name 3 --device in -j :M:X:WAN:Server
-A :M:X:ToServer -j :M:Q:WAN:Server
-N :M:Q:WAN:Clients
-N :M:X:WAN:Clients
-A :M:Q:WAN:Clients -m devset --set-name 2 --device out -j :M:X:WAN:Clients
-A :M:X:WAN -j :M:Q:WAN:Clients
-N :M:Q:WAN:WAN
-N :M:X:WAN:WAN
-A :M:Q:WAN:WAN -m devset --set-name 3 --device out -j :M:X:WAN:WAN
-A :M:X:WAN -j :M:Q:WAN:WAN
-N :M:Q:Server:WAN
-N :M:X:Server:WAN
-A :M:Q:Server:WAN -m devset --set-name 3 --device out -j :M:X:Server:WAN
-A :M:X:FromServer -j :M:Q:Server:WAN
-N :M:Q:Clients:WAN
-N :M:X:Clients:WAN
-A :M:Q:Clients:WAN -m devset --set-name 3 --device out -j :M:X:Clients:WAN
-A :M:X:Clients -j :M:Q:Clients:WAN
-N :A:Q:VPN
-N :A:Node:VPN
-A :A:Q:VPN -m devset --set-name 4 --device in -j :A:Node:VPN
-A :A:Nodes -j :A:Q:VPN
-N :D:Q:VPN
-N :D:Node:VPN
-A :D:Q:VPN -m devset --set-name 4 --device out -j :D:Node:VPN
-A :D:Nodes -j :D:Q:VPN
-N :M:Q:VPN
-N :M:X:VPN
-A :M:Q:VPN -m devset --set-name 4 --device in -j :M:X:VPN
-A :M:Nodes -j :M:Q:VPN
-N :M:Q:VPN:Server
-N :M:X:VPN:Server
-A :M:Q:VPN:Server -m devset --set-name 4 --device in -j :M:X:VPN:Server
-A :M:X:ToServer -j :M:Q:VPN:Server
-N :M:Q:VPN:Clients
-N :M:X:VPN:Clients
-A :M:Q:VPN:Clients -m devset --set-name 2 --device out -j :M:X:VPN:Clients
-A :M:X:VPN -j :M:Q:VPN:Clients
-N :M:Q:VPN:WAN
-N :M:X:VPN:WAN
-A :M:Q:VPN:WAN -m devset --set-name 3 --device out -j :M:X:VPN:WAN
-A :M:X:VPN -j :M:Q:VPN:WAN
-N :M:Q:VPN:VPN
-N :M:X:VPN:VPN
-A :M:Q:VPN:VPN -m devset --set-name 4 --device out -j :M:X:VPN:VPN
-A :M:X:VPN -j :M:Q:VPN:VPN
-N :M:Q:Server:VPN
-N :M:X:Server:VPN
-A :M:Q:Server:VPN -m devset --set-name 4 --device out -j :M:X:Server:VPN
-A :M:X:FromServer -j :M:Q:Server:VPN
-N :M:Q:Clients:VPN
-N :M:X:Clients:VPN
-A :M:Q:Clients:VPN -m devset --set-name 4 --device out -j :M:X:Clients:VPN
-A :M:X:Clients -j :M:Q:Clients:VPN
-N :M:Q:WAN:VPN
-N :M:X:WAN:VPN
-A :M:Q:WAN:VPN -m devset --set-name 4 --device out -j :M:X:WAN:VPN
-A :M:X:WAN -j :M:Q:WAN:VPN
-A :M:X:Server:Clients -j ACCEPT
-A :M:X:Server:VPN -j ACCEPT
-A :M:X:Server:WAN -j ACCEPT
-A :M:X:Clients:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 29922 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29922 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29924 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29914 -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 53 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 53 -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 29923 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29923 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29900 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29901 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29908 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29909 -j ACCEPT
-N :X:DHCP:Accept
-A :M:X:Clients:Server -p udp --sport bootpc -j :X:DHCP:Accept
-N :X:Clients:ToServer:Accept
-A :M:X:Clients:Server -j :X:Clients:ToServer:Accept
-N :X:Abd:Clients:ToServer:Ulog
-N :X:Abd:Clients:ToServer:Uni:Pass
-A :X:Abd:Clients:ToServer:Uni:Pass -d 255.255.255.255 -j RETURN
-A :X:Abd:Clients:ToServer:Uni:Pass -j :X:Abd:Clients:ToServer:Ulog
-A :M:X:Clients:Server -j :X:Abd:Clients:ToServer:Uni:Pass
-N :X:Clients:Clients:Pass
-A :M:X:Clients:Clients -j :X:Clients:Clients:Pass
-N :X:VPNSubnet:FromClients:Pass
-A :X:VPNSubnet:FromClients:Pass -j DROP
-A :M:X:Clients:VPN -j :X:VPNSubnet:FromClients:Pass
-N :X:ClientMark:VPN:Accept
-A :M:X:Clients:VPN -j :X:ClientMark:VPN:Accept
-A :M:X:Clients:VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:WalledGarden:Accept
-A :M:X:Clients:WAN -j :X:WalledGarden:Accept
-N :X:Quarantine:Drop
-A :M:X:Clients:WAN -j :X:Quarantine:Drop
-N :X:ClientMark:WAN:Accept
-A :X:ClientMark:WAN:Accept -m markset --set-name 0 -j ACCEPT
-A :M:X:Clients:WAN -j :X:ClientMark:WAN:Accept
-A :M:X:VPN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29910 -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29918 -j ACCEPT
-A :M:X:VPN:Server -p udp --dport 161 -j ACCEPT
-A :M:X:VPN:Server -p udp --dport 162 -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29903 -j ACCEPT
-A :M:X:VPN:Server -p icmp -j ACCEPT
-N :X:VPN:ToServer:Accept
-A :M:X:VPN:Server -j :X:VPN:ToServer:Accept
-A :M:X:VPN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:VPNSubnet:ToClients:Pass
-A :X:VPNSubnet:ToClients:Pass -j DROP
-A :M:X:VPN:Clients -j :X:VPNSubnet:ToClients:Pass
-A :M:X:VPN:Clients -j ACCEPT
-A :M:X:VPN:WAN -j DROP
-A :M:X:WAN:Server -p udp --sport 500 --dport 500 -j ACCEPT
-A :M:X:WAN:Server -p tcp --dport 29903 -j ACCEPT
-N :X:WAN:ToServer:Accept
-A :M:X:WAN:Server -j :X:WAN:ToServer:Accept
-A :M:X:WAN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:Abd:WAN:Clients:Ulog
-A :M:X:WAN:Clients -j :X:Abd:WAN:Clients:Ulog
-A :M:X:WAN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:Network:Accept
-A :M:X:WAN:Clients -j :X:Network:Accept
-N :X:PortXlation:Accept
-A :M:X:WAN:Clients -j :X:PortXlation:Accept
-N :X:PortForwarding:Accept
-A :M:X:WAN:Clients -j :X:PortForwarding:Accept
-A :M:X:WAN:VPN -j DROP
COMMIT