0017239: iptables-nft fails to check / delete rules in raw table - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017239	CentOS-8	iptables	public	2020-04-10 15:44	2020-06-04 02:10

Reporter	champtar
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version	8.1.1911
Target Version		Fixed in Version

Summary	0017239: iptables-nft fails to check / delete rules in raw table
Description	iptables command that used to work with iptables 'legacy' now fail with iptables-nft It works for filter table not for raw table # yum list installed iptables iptables.x86_64 1.8.2-16.el8 # cat /etc/redhat-release CentOS Linux release 8.1.1911 (Core) (I'm using CentOS 8 stream)
Steps To Reproduce	# iptables -t raw -L -n -v Chain PREROUTING (policy ACCEPT 13123 packets, 29M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 6869 packets, 406K bytes) pkts bytes target prot opt in out source destination # iptables -w2 -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK # iptables -t raw -L -n -v Chain PREROUTING (policy ACCEPT 13222 packets, 29M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 6940 packets, 413K bytes) pkts bytes target prot opt in out source destination 0 0 CT udp -- * * 0.0.0.0/0 169.254.25.10 udp dpt:53 NOTRACK # iptables -w2 -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK iptables: Bad rule (does a matching rule exist in that chain?). # iptables -w2 -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK iptables: Bad rule (does a matching rule exist in that chain?). # iptables -t raw -L -n -v Chain PREROUTING (policy ACCEPT 14251 packets, 29M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7351 packets, 452K bytes) pkts bytes target prot opt in out source destination 0 0 CT udp -- * * 0.0.0.0/0 169.254.25.10 udp dpt:53 NOTRACK
Tags	"перезапуск системы"

champtar 2020-04-10 16:49 reporter ~0036675	This also happens on Debian buster (iptables 1.8.4-3), I'll open a bug upstream

champtar 2020-04-10 17:01 reporter ~0036676	Upstream bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1422

champtar 2020-04-15 21:37 reporter ~0036697	Upstream bug is now fixed, just need to be backported

champtar 2020-06-04 02:10 reporter ~0037034	iptables 1.8.5 is now released

Date Modified	Username	Field	Change
2020-04-10 15:44	champtar	New Issue
2020-04-10 16:49	champtar	Note Added: 0036675
2020-04-10 17:01	champtar	Note Added: 0036676
2020-04-12 10:34	bushuev.byshyi	Tag Attached: "перезапуск системы"
2020-04-15 21:37	champtar	Note Added: 0036697
2020-06-04 02:10	champtar	Note Added: 0037034