netfilter buglog - May 2024 - [Bug 1752] New: iptables-save not showing default chains

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

            Bug ID: 1752
           Summary: iptables-save not showing default chains
           Product: iptables
           Version: 1.8.x
          Hardware: All
                OS: Ubuntu
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables-save
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: ervrkharade at gmail.com

When i run iptables-save command on rhel or centos its showing below output
which i am not able to see on ubuntu machine even on LTS version
[root at rhel-8-50805-client ~]# iptables-save
# Generated by iptables-save v1.8.4 on Sun May 12 05:21:20 2024
*filter
:INPUT ACCEPT [299:79977]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [253:33027]
COMMIT
# Completed on Sun May 12 05:21:20 2024
# Generated by iptables-save v1.8.4 on Sun May 12 05:21:20 2024
*security
:INPUT ACCEPT [299:79977]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [253:33027]
COMMIT
# Completed on Sun May 12 05:21:20 2024
# Generated by iptables-save v1.8.4 on Sun May 12 05:21:20 2024
*raw
:PREROUTING ACCEPT [300:80465]
:OUTPUT ACCEPT [253:33027]
COMMIT
# Completed on Sun May 12 05:21:20 2024
# Generated by iptables-save v1.8.4 on Sun May 12 05:21:20 2024
*mangle
:PREROUTING ACCEPT [300:80465]
:INPUT ACCEPT [299:79977]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [253:33027]
:POSTROUTING ACCEPT [253:33027]
COMMIT
# Completed on Sun May 12 05:21:20 2024
# Generated by iptables-save v1.8.4 on Sun May 12 05:21:20 2024
*nat
:PREROUTING ACCEPT [2:552]
:INPUT ACCEPT [1:64]
:POSTROUTING ACCEPT [52:5283]
:OUTPUT ACCEPT [52:5283]
COMMIT
# Completed on Sun May 12 05:21:20 2024

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: iptables 1.8.10-3ubuntu2
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
ApportVersion: 2.28.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: nocloud
CloudName: unknown
CloudPlatform: nocloud
CloudSubPlatform: seed-dir (cmdline)
Date: Sun May 12 05:04:54 2024
InstallationDate: Installed on 2024-04-26 (16 days ago)
InstallationMedia: Ubuntu-Server 24.04 LTS "Noble Numbat" - Release
amd64
(20240423)
SourcePackage: iptables
UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240523/e1f4e6b4/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

ervrkharade at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |https://bugs.launchpad.net/
                   |                            |ubuntu/+source/iptables/+bu
                   |                            |g/2065513

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240523/f512e87d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
This should not be a problem per se, iptables-save doesn't dump tables which
don't exist (with iptables-legacy, you can check that by unloading e.g.
iptable_mangle.ko and calling iptables-save before and after).

This is odd though, RHEL8 should ship iptables-nft. Could you please paste the
output of 'iptables --version' from that RHEL8 machine?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240523/bc6d733d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

--- Comment #2 from ervrkharade at gmail.com ---

This should not be a problem per se, iptables-save doesn't dump tables which
don't exist (with iptables-legacy, you can check that by unloading e.g.
iptable_mangle.ko and calling iptables-save before and after)
-> I dunno exactly what i have to do could you please provide steps, Thanks.

[root at rhel-8-50805-client ~]# iptables --version
iptables v1.8.4 (nf_tables)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240527/1fb9e0e6/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

--- Comment #3 from Phil Sutter <phil at nwl.cc> ---
(In reply to ervrkharade from comment #2)
> -> I dunno exactly what i have to do could you please provide steps,
Thanks.
Long story short: It is expected that iptables-save may not show some
tables'
default chains as a table may not exist (due to not loaded modules or other
factors).

What is your problem to begin with? What are you expecting, what behaviour are
you experiencing instead and how is it problematic?

Cheers, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240604/46f768e7/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

--- Comment #4 from ervrkharade at gmail.com ---


The main issue here is why iptables-save command not showing any output
including default chains which are visible on Redhat, centOS etc.

for example in any Ubuntu it's not showing any default chains and In other
Linux example CentOS , Redhat it shows default chains when we run iptables-save
command example mentioned in the ticket description.

you can try to run iptables-save command on redhat and ubuntu machine and see
the difference in output.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240610/d16446de/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

--- Comment #5 from ervrkharade at gmail.com ---

Here is bit more details about the issue
https://github.com/puppetlabs/puppetlabs-firewall/issues/1188

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240610/0733489e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

--- Comment #6 from ervrkharade at gmail.com ---

Sorry, In this comment the issue is mentioned in detail
https://github.com/puppetlabs/puppetlabs-firewall/issues/1188#issuecomment-2135488191

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240610/ced25c4e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1752

--- Comment #7 from Phil Sutter <phil at nwl.cc> ---
Hi,

(In reply to ervrkharade from comment #4)
> 
> The main issue here is why iptables-save command not showing any output
> including default chains which are visible on Redhat, centOS etc.
Here's a freshly booted CentOS-Stream-9 VM:

| [root at vm-10-0-185-242 ~]# uname -a
| Linux vm-10-0-185-242.hosted.upshift.rdu2.redhat.com 5.14.0-452.el9.x86_64 #1
SMP PREEMPT_DYNAMIC Sat May 18 20:39:48 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
| [root at vm-10-0-185-242 ~]# cat /etc/redhat-release
| CentOS Stream release 9
| [root at vm-10-0-185-242 ~]# iptables-save
| [root at vm-10-0-185-242 ~]#
> for example in any Ubuntu it's not showing any default chains and In
other
> Linux example CentOS , Redhat it shows default chains when we run
> iptables-save command example mentioned in the ticket description.
> 
> you can try to run iptables-save command on redhat and ubuntu machine and
> see the difference in output.
It is a misconception that iptables-save should print "default
chains". In
fact, it will print only existing ones. See what happens on the same machine
when adding a rule to filter table's FORWARD chain:

| [root at vm-10-0-185-242 ~]# iptables -A FORWARD -j ACCEPT
| [root at vm-10-0-185-242 ~]# iptables-save
| # Generated by iptables-save v1.8.10 (nf_tables) on Tue Jun 11 08:02:35 2024
| *filter
| :INPUT ACCEPT [0:0]
| :FORWARD ACCEPT [0:0]
| :OUTPUT ACCEPT [0:0]
| -A FORWARD -j ACCEPT
| COMMIT
| # Completed on Tue Jun 11 08:02:35 2024

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240611/30dfcbcb/attachment.html>