[Bug 1422] New: iptables-nft fails to check / delete rules in raw table

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Apr 10 19:00:29 CEST 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1422

            Bug ID: 1422
           Summary: iptables-nft fails to check / delete rules in raw
                    table
           Product: iptables
           Version: 1.6.x
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: champetier.etienne at gmail.com

See repro steps, I can create a rule in raw table but can't check / delete it

# cat /etc/debian_version 
bullseye/sid

# apt info iptables
Package: iptables
Version: 1.8.4-3
...

# /sbin/iptables --version
iptables v1.8.4 (nf_tables)

# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

# /sbin/iptables -w2 -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
root at etiennedebian:~# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 CT         udp  --  *      *       0.0.0.0/0           
169.254.25.10        udp dpt:53 NOTRACK

# /sbin/iptables -w2 -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).

# /sbin/iptables -w2 -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).

# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 CT         udp  --  *      *       0.0.0.0/0           
169.254.25.10        udp dpt:53 NOTRACK


I haven't opened a bug on Debian bug tracker as they use latest version
I have a bug open on CentOS bugzilla: https://bugs.centos.org/view.php?id=17239

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200410/ce6fa42e/attachment.html>

More information about the netfilter-buglog mailing list