[Bug 1757] New: Alpine 3.19: iptables: Bad rule (does a matching rule exist in that chain?).

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Jul 7 15:17:01 CEST 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1757

            Bug ID: 1757
           Summary: Alpine 3.19: iptables: Bad rule (does a matching rule
                    exist in that chain?).
           Product: iptables
           Version: 1.8.x
          Hardware: All
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: quentin.mcgaw at gmail.com

On Alpine Linux 3.19, after adding and removing rules, it doesn't find a rule
that was added previously. To reproduce:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.19

apk add iptables

iptables --policy FORWARD ACCEPT
iptables --append INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables --append INPUT -i lo -j ACCEPT
iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT

iptables --append INPUT -i eth0 -p tcp --dport 12345 -j ACCEPT
iptables --append INPUT -i eth0 -p udp --dport 12345 -j ACCEPT
iptables --delete INPUT -i eth0 -p tcp --dport 12345 -j ACCEPT

And this will produce "iptables: Bad rule (does a matching rule exist in that
chain?)". This issue seems to be resolved with Alpine 3.20 although iptables
version didn't change (1.8.3), so my guess is this is a nftables kernel issue.
We did fallback on using the iptables legacy to not use nftables for the time
being, but we will try again nftables using alpine 3.20 now that it is
released.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240707/f9f2cca6/attachment.html>

More information about the netfilter-buglog mailing list