<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - The Check option of iptables does not work as expected"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1408">1408</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>The Check option of iptables does not work as expected
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>arm
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Ubuntu
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>minor
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>iptables over nftable
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>ed@kapitein.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>when checking if a dnat rule exist ( with the --check option )  the
--to-destination is not checked correctly.

i have a rule:
 pkts bytes target     prot opt in     out     source               destination 
    1    44 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0  
         tcp dpt:80 to:192.168.59.43:80

if i check if the rule exists, the exit code is 0, as expected:
sudo iptables -t nat -C PREROUTING --proto tcp --dport 80 -j DNAT
--to-destination 192.168.59.43:80; echo $?
0

however, if i change the -to-destination to a bogus value,
the check still returns 0, and that is unexpected:
sudo iptables -t nat -C PREROUTING --proto tcp --dport 80 -j DNAT
--to-destination 1.2.3.4:5; echo $?
0

if i change the protocol from tcp to udp the check fails, as expected:
sudo iptables -t nat -C PREROUTING --proto udp --dport 80 -j DNAT
--to-destination 192.168.59.43:80; echo $?
iptables: Bad rule (does a matching rule exist in that chain?).
1

Is there a way to check the -to-destination also?


Some info on the environment:
Version: iptables v1.8.2 (nf_tables)
OS: raspbian buster
Kernel: Linux blahblah 4.19.93-v7+ #1290 SMP Fri Jan 10 16:39:50 GMT 2020
armv7l GNU/Linux
Platform: raspberry pi 3B+</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>