View Issue Details

IDProjectCategoryView StatusLast Update
0017239CentOS-8iptablespublic2020-06-04 02:10
Reporterchamptar 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017239: iptables-nft fails to check / delete rules in raw table
Descriptioniptables command that used to work with iptables 'legacy' now fail with iptables-nft
It works for filter table not for raw table

# yum list installed iptables
iptables.x86_64 1.8.2-16.el8

# cat /etc/redhat-release
CentOS Linux release 8.1.1911 (Core)

(I'm using CentOS 8 stream)
Steps To Reproduce# iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 13123 packets, 29M bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 6869 packets, 406K bytes)
 pkts bytes target prot opt in out source destination
# iptables -w2 -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK
# iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 13222 packets, 29M bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 6940 packets, 413K bytes)
 pkts bytes target prot opt in out source destination
    0 0 CT udp -- * * 0.0.0.0/0 169.254.25.10 udp dpt:53 NOTRACK
# iptables -w2 -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables -w2 -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).

# iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 14251 packets, 29M bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7351 packets, 452K bytes)
 pkts bytes target prot opt in out source destination
    0 0 CT udp -- * * 0.0.0.0/0 169.254.25.10 udp dpt:53 NOTRACK
Tags"перезапуск системы"

Activities

champtar

champtar

2020-04-10 16:49

reporter   ~0036675

This also happens on Debian buster (iptables 1.8.4-3), I'll open a bug upstream
champtar

champtar

2020-04-10 17:01

reporter   ~0036676

Upstream bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1422
champtar

champtar

2020-04-15 21:37

reporter   ~0036697

Upstream bug is now fixed, just need to be backported
champtar

champtar

2020-06-04 02:10

reporter   ~0037034

iptables 1.8.5 is now released

Issue History

Date Modified Username Field Change
2020-04-10 15:44 champtar New Issue
2020-04-10 16:49 champtar Note Added: 0036675
2020-04-10 17:01 champtar Note Added: 0036676
2020-04-12 10:34 bushuev.byshyi Tag Attached: "перезапуск системы"
2020-04-15 21:37 champtar Note Added: 0036697
2020-06-04 02:10 champtar Note Added: 0037034