bugzilla-daemon at netfilter.org
2019-Jul-04 13:20 UTC
[Bug 1348] New: v1.8.2 iptables-nft-restore incorrectly handles multiple replace commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1348
Bug ID: 1348
Summary: v1.8.2 iptables-nft-restore incorrectly handles
multiple replace commands
Product: iptables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: iptables-restore
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: shaun at tigera.io
Our project uses iptables-nft-restore in noflush mode as a way to run lots of
iptables commands quickly. We've found that, in nft mode, if we use -R to
replace rules, then the rule that gets replaced is only correct for the first
-R. Subsequent replaces seem to replace the same rule again:
$ iptables-save
# Generated by xtables-save v1.8.2 on Thu Jul 4 13:13:27 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:test - [0:0]
-A test -m comment --comment 1
-A test -m comment --comment 2
COMMIT
$ iptables-restore --noflush
*filter
-R test 1 -m comment --comment 1a
-R test 2 -m comment --comment 2a
COMMIT
With legacy mode, I get this, as expected, both rules are replaced:
# Generated by iptables-save v1.8.2 on Thu Jul 4 13:19:00 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:test - [0:0]
-A test -m comment --comment 1a
-A test -m comment --comment 2a
COMMIT
# Completed on Thu Jul 4 13:19:00 2019
But with nft mode, we get
$ iptables-save
# Generated by xtables-save v1.8.2 on Thu Jul 4 13:14:09 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:test - [0:0]
-A test -m comment --comment 2a
-A test -m comment --comment 2
COMMIT
The first rule has been doubly replaced.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190704/e800f0c6/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-04 13:48 UTC
[Bug 1348] v1.8.2 iptables-nft-restore incorrectly handles multiple replace commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1348
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org,
| |phil at nwl.cc
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Could you try with iptables 1.8.3?
Cc'ing Phil, he has fixed this there IIRC.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190704/a304c261/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-04 16:18 UTC
[Bug 1348] v1.8.2 iptables-nft-restore incorrectly handles multiple replace commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1348 --- Comment #2 from Phil Sutter <phil at nwl.cc> --- (In reply to Pablo Neira Ayuso from comment #1)> Could you try with iptables 1.8.3? > > Cc'ing Phil, he has fixed this there IIRC.Works for me on my testing VM with current upstream master at least. :) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190704/6bad70a8/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-05 08:40 UTC
[Bug 1348] v1.8.2 iptables-nft-restore incorrectly handles multiple replace commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1348 --- Comment #3 from Shaun Crampton <shaun at tigera.io> --- Great, hopefully there'll be a 1.8.3 deb soon. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190705/669a0e06/attachment.html>
bugzilla-daemon at netfilter.org
2019-Sep-16 08:01 UTC
[Bug 1348] v1.8.2 iptables-nft-restore incorrectly handles multiple replace commands
https://bugzilla.netfilter.org/show_bug.cgi?id=1348
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
CC| |fw at strlen.de
Status|ASSIGNED |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190916/e5c32acf/attachment.html>
Reasonably Related Threads
- [Bug 1242] New: noflush actually flushes in case of custom chain
- [Bug 1412] New: ip6tables-nft not accepting "icmp" as shorthand for "icmpv6"
- [Bug 1335] New: iptables-restore will crash if -6 rules are present
- firewalld / iptables / nftables
- ror-generated sql syntax fails at ''where''.