bugzilla-daemon at netfilter.org
2024-Jul-07 13:17 UTC
[Bug 1757] New: Alpine 3.19: iptables: Bad rule (does a matching rule exist in that chain?).
https://bugzilla.netfilter.org/show_bug.cgi?id=1757
Bug ID: 1757
Summary: Alpine 3.19: iptables: Bad rule (does a matching rule
exist in that chain?).
Product: iptables
Version: 1.8.x
Hardware: All
OS: other
Status: NEW
Severity: normal
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: quentin.mcgaw at gmail.com
On Alpine Linux 3.19, after adding and removing rules, it doesn't find a
rule
that was added previously. To reproduce:
docker run -it --rm --cap-add=NET_ADMIN alpine:3.19
apk add iptables
iptables --policy FORWARD ACCEPT
iptables --append INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables --append INPUT -i lo -j ACCEPT
iptables --append OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append OUTPUT -o eth0 -s 1.2.3.4 -d 5.6.7.8 -j ACCEPT
iptables --append INPUT -i eth0 -p tcp --dport 12345 -j ACCEPT
iptables --append INPUT -i eth0 -p udp --dport 12345 -j ACCEPT
iptables --delete INPUT -i eth0 -p tcp --dport 12345 -j ACCEPT
And this will produce "iptables: Bad rule (does a matching rule exist in
that
chain?)". This issue seems to be resolved with Alpine 3.20 although
iptables
version didn't change (1.8.3), so my guess is this is a nftables kernel
issue.
We did fallback on using the iptables legacy to not use nftables for the time
being, but we will try again nftables using alpine 3.20 now that it is
released.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240707/f9f2cca6/attachment.html>
bugzilla-daemon at netfilter.org
2024-Jul-09 15:25 UTC
[Bug 1757] Alpine 3.19: iptables: Bad rule (does a matching rule exist in that chain?).
https://bugzilla.netfilter.org/show_bug.cgi?id=1757
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |phil at nwl.cc
Resolution|--- |WORKSFORME
--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Hi Quentin,
Thanks for the report. This tracker is for upstream issues only though. Please
report this with Alpine Linux maintainers, probably via:
https://gitlab.alpinelinux.org/alpine/aports/-/issues
Cheers, Phil
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240709/8df21f07/attachment.html>
Possibly Parallel Threads
- [Bug 1395] New: Add element fails with Error: Could not process rule: Invalid argument
- Problem to access from Win to Win after classicupdate to Samba DC 4.10.7
- [Bug 1733] New: prefix len in a set of ips is wrong in a rule
- [Bug 1732] New: nft list chain does not return correct info on RHEL 8
- Iptables blocks out going connetion some times