bugzilla-daemon at netfilter.org
2020-Apr-10 17:00 UTC
[Bug 1422] New: iptables-nft fails to check / delete rules in raw table
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Bug ID: 1422
Summary: iptables-nft fails to check / delete rules in raw
table
Product: iptables
Version: 1.6.x
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: champetier.etienne at gmail.com
See repro steps, I can create a rule in raw table but can't check / delete
it
# cat /etc/debian_version
bullseye/sid
# apt info iptables
Package: iptables
Version: 1.8.4-3
...
# /sbin/iptables --version
iptables v1.8.4 (nf_tables)
# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# /sbin/iptables -w2 -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
root at etiennedebian:~# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0
169.254.25.10 udp dpt:53 NOTRACK
# /sbin/iptables -w2 -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
# /sbin/iptables -w2 -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0
169.254.25.10 udp dpt:53 NOTRACK
I haven't opened a bug on Debian bug tracker as they use latest version
I have a bug open on CentOS bugzilla: https://bugs.centos.org/view.php?id=17239
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200410/ce6fa42e/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 14:15 UTC
[Bug 1422] iptables-nft fails to check / delete rules in raw table
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #1 from Etienne Champetier <champetier.etienne at gmail.com>
---
Here the nft output
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
}
}
# nft add rule raw OUTPUT tcp dport 42 notrack
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
tcp dport 42 notrack
}
}
So the rule inserted by iptables-nft is wrong it seems
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/0309189f/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 14:16 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Etienne Champetier <champetier.etienne at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|iptables-nft fails to check |iptables-nft raw notrack
|/ delete rules in raw table |rules are wrong
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/27c536c0/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 16:02 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #2 from Etienne Champetier <champetier.etienne at gmail.com> --- Just compiled latest version of iptables (74ef6f1c16ff672139031330dc71c274300dfb2e) but same result -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/be37bfa4/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 16:19 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Etienne Champetier from comment #1)
[...]> meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
You mean it is showing # NOTRACK, right?
That's a missing translation, please, test this patch for iptables:
https://lore.kernel.org/netfilter-devel/20200415161821.119253-1-pablo at
netfilter.org/T/#u
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/a2bae516/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 16:24 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Pablo Neira Ayuso from comment #3)> (In reply to Etienne Champetier from comment #1) > [...] > > meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK > > You mean it is showing # NOTRACK, right? > > That's a missing translation, please, test this patch for iptables: > > https://lore.kernel.org/netfilter-devel/20200415161821.119253-1- > pablo at netfilter.org/T/#uor take it from here: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415161821.119253-1-pablo at netfilter.org/ Although patchwork is working a bit slow in responding today. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/81283294/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 16:38 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #5 from Etienne Champetier <champetier.etienne at gmail.com>
---
Still not working for me :(
# nft flush table ip raw
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
# ./iptables/xtables-nft-multi iptables-nft -t raw -I OUTPUT -p udp -d
169.254.25.10 --dport 53 -j NOTRACK
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
}
}
# nft flush table ip raw
# ./iptables/xtables-nft-multi iptables-nft -t raw -I OUTPUT -p udp -d
169.254.25.10 --dport 53 -j CT --notrack
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # CT
notrack
}
}
# nft --version
nftables v0.9.4 (Jive at Five)
# ./iptables/xtables-nft-multi iptables-nft --version
iptables v1.8.4 (nf_tables)
# git log --oneline
8d8d2647 (HEAD -> master) extensions: libxt_CT: add translation for NOTRACK
74ef6f1c (origin/master, origin/HEAD) iptables: open eBPF programs in read only
mode
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/1820893a/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 16:52 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Here it works fine:
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
root at salvia:/home/pablo# iptables-nft -t raw -I OUTPUT -p udp -d
169.254.25.10
--dport 53 -j NOTRACK
root at salvia:/home/pablo# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter
notrack
}
}
Make sure iptables-nft there is not using the old libraries, in my test machine
I have them here:
/usr/lib/xtables/
if you have installed the iptables / nftables package from debian, it might be
that your /usr/lib/xtables/ refers to the extension libraries in
/usr/lib/x86_64-linux-gnu/xtables/.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/f6d05fa8/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 16:53 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Pablo Neira Ayuso from comment #6)> if you have installed the iptables / nftables package from debian, it might > be that your /usr/lib/xtables/ refers to the extension libraries in > /usr/lib/x86_64-linux-gnu/xtables/.it might be that your xtables-nft-multi refers to /usr/lib/x86_64-linux-gnu/xtables/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/48c9bd1b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 17:29 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #8 from Etienne Champetier <champetier.etienne at gmail.com> --- Yup, nft is loading libs from /usr/lib/x86_64-linux-gnu/xtables/, I'll rebuild things until it works ! Can you confirm that you can check/delete, as this was my initial problem iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK && echo 1 iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK && echo 2 iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK && echo 3 Same with iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT --notrack && echo 4 iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT --notrack && echo 5 iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT --notrack && echo 6 Thanks a lot -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/3c4818e6/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 17:57 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #9 from Etienne Champetier <champetier.etienne at gmail.com>
---
Using '-j CT --notrack' works
Using '-j NOTRACK' I still can't check/delete
# /usr/local/sbin/iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport
53 -j NOTRACK && echo ok
ok
# /usr/local/sbin/nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter notrack
}
}
# /usr/local/sbin/iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport
53 -j NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
# /usr/local/sbin/iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport
53 -j NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/c6f13a7c/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 18:50 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #10 from Etienne Champetier <champetier.etienne at gmail.com> --- To be clear I confirm your patch fixes the nft display bug, but it doesn't fixes the initial bug for me -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/a1d237bc/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 19:39 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #11 from Pablo Neira Ayuso <pablo at netfilter.org> --- Ah I see, sorry. Please give a try to this patch. https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415193810.240720-1-pablo at netfilter.org/ Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/966de93b/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 19:52 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #12 from Etienne Champetier <champetier.etienne at gmail.com> --- Perfect, everything is now working If you want you can add Tested-by: Etienne Champetier <etienne.champetier at anevia.com> The last question is if you plan a release soon or if I should just ask maintainers to backport just the patches. Thanks a lot ! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/dd8c7661/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 21:05 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/efb4caad/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 21:08 UTC
[Bug 1422] iptables-nft raw notrack rules are wrong
https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #13 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Etienne Champetier from comment #12)> The last question is if you plan a release soon or if I should just ask > maintainers to backport just the patches.Phil is on holidays this week. He's got a patchset I would like to see merge upstream for the next release. It might take a few weeks to make the new release. Thanks for reporting! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/6cfa6413/attachment-0001.html>
Reasonably Related Threads
- [Bug 1410] New: STATELESS, rules with notrack into a map
- [Bug 1213] New: Nft stateless NAT (NOTRACK)
- [Bug 1310] New: syntax issue with tproxy
- [Bug 1057] New: Allow for multiple protocols to be specified in a rule
- [Bug 1463] New: nft --json table list ruleset crashes