<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - iptables-save fails silently in unprivileged lxc/lxd container"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1064#c7">Comment # 7</a>
              on <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - iptables-save fails silently in unprivileged lxc/lxd container"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1064">bug 1064</a>
              from <span class="vcard"><a class="email" href="mailto:phiphi@phiphi.ch" title="Philipp Gassmann <phiphi@phiphi.ch>"> <span class="fn">Philipp Gassmann</span></a>
</span></b>
        <pre>Tested it in Virtualbox on Ubuntu 16.04 with Kernel 4.5.2 from
<a href="http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5.2-wily">http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5.2-wily</a>

Unfortunately I get the same results.

Had to add configuration because of incomplete apparmor support in the mainline
kernel.

root@lxd1:~# lxc launch ubuntu:xenial iptables-test
ubuntulxd@lxd1:~$ lxc config set iptables-test raw.lxc 'lxc.aa_allow_incomplete
= 1'
ubuntulxd@lxd1:~$ lxc start iptables-test 
ubuntulxd@lxd1:~$ lxc list
+---------------+---------+------+------+------------+-----------+
|     NAME      |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
+---------------+---------+------+------+------------+-----------+
| iptables-test | RUNNING |      |      | PERSISTENT | 0         |
+---------------+---------+------+------+------------+-----------+
ubuntulxd@lxd1:~$ lxc exec iptables-test -- bash
root@iptables-test:~# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
root@iptables-test:~# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@iptables-test:~# iptables-save
root@iptables-test:~# strace iptables-save
execve("/sbin/iptables-save", ["iptables-save"], [/* 12 vars */]) = 0
brk(NULL)                               = 0x1687000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d9358d000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20483, ...}) = 0
mmap(NULL, 20483, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7d93587000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\26\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27424, ...}) = 0
mmap(NULL, 2122496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d93163000
mprotect(0x7f7d93169000, 2093056, PROT_NONE) = 0
mmap(0x7f7d93368000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93368000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\27\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27456, ...}) = 0
mmap(NULL, 2122528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92f5c000
mprotect(0x7f7d92f62000, 2093056, PROT_NONE) = 0
mmap(0x7f7d93161000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93161000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libxtables.so.11", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200/\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=51872, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93586000
mmap(NULL, 2148792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92d4f000
mprotect(0x7f7d92d5a000, 2097152, PROT_NONE) = 0
mmap(0x7f7d92f5a000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f7d92f5a000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92986000
mprotect(0x7f7d92b46000, 2093056, PROT_NONE) = 0
mmap(0x7f7d92d45000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7f7d92d45000
mmap(0x7f7d92d4b000, 14848, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7d92d4b000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f7d92782000
mprotect(0x7f7d92785000, 2093056, PROT_NONE) = 0
mmap(0x7f7d92984000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7d92984000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93585000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93584000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f7d93583000
arch_prctl(ARCH_SET_FS, 0x7f7d93584700) = 0
mprotect(0x7f7d92d45000, 16384, PROT_READ) = 0
mprotect(0x7f7d92984000, 4096, PROT_READ) = 0
mprotect(0x7f7d92f5a000, 4096, PROT_READ) = 0
mprotect(0x7f7d93161000, 4096, PROT_READ) = 0
mprotect(0x7f7d93368000, 4096, PROT_READ) = 0
mprotect(0x613000, 4096, PROT_READ)     = 0
mprotect(0x7f7d9358f000, 4096, PROT_READ) = 0
munmap(0x7f7d93587000, 20483)           = 0
brk(NULL)                               = 0x1687000
brk(0x16a8000)                          = 0x16a8000
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission
denied)
exit_group(0)                           = ?
+++ exited with 0 +++
root@iptables-test:~# uname -a
Linux iptables-test 4.5.2-040502-generic #201604200335 SMP Wed Apr 20 07:37:26
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>