[Bug 961] New: Can not remove rules with the default --mask parameter (-m recent)

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jun 19 13:13:06 CEST 2014


https://bugzilla.netfilter.org/show_bug.cgi?id=961

           Summary: Can not remove rules with the default --mask parameter
                    (-m recent)
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: lex.public at gmail.com
   Estimated Hours: 0.0


Hi,

libxt_recent has a --mask parameter which defaults to 255.255.255.255.
When --mask is not specified iptables-save shows the default anyway but
iptables -D fails to remove the rule when issuing --mask.

Here's an example:

# iptables -F INPUT
# iptables -A INPUT -m recent --update --rsource --mask 255.255.255.255 -j
ACCEPT
# iptables-save | grep "A INPUT"
-A INPUT -m recent --update --name DEFAULT --mask 255.255.255.255 --rsource -j
ACCEPT
# iptables -D INPUT -m recent --update --name DEFAULT --mask 255.255.255.255
--rsource -j ACCEPT
# iptables-save | grep "A INPUT"

Everything works as expected when the mask is specified in the iptables -A
command. Now we don't specify --mask:

# iptables -A INPUT -m recent --update --rsource  -j ACCEPT
# iptables-save | grep INPUT
-A INPUT -m recent --update --name DEFAULT --mask 255.255.255.255 --rsource -j
ACCEPT
# iptables -D INPUT -m recent --update --name DEFAULT --mask 255.255.255.255
--rsource -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables -D INPUT -m recent --update --name DEFAULT --rsource -j ACCEPT
# iptables-save | grep "A INPUT"

I believe this is an unexpected behavior, what's the best way to fix it?

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list