View Issue Details

IDProjectCategoryView StatusLast Update
0017478CentOS-8iptablespublic2020-08-04 14:46
Reporterzztalker 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017478: iptables-restore couldn't check valid rules
DescriptionWhen I use iptables-restore to check the persistence of valid rules I've got strange errors:

# cat /vagrant/fail1.check
*filter
--check INPUT -j test_chain
--check test_chain -j jump_chain
--check test_chain -j jump_chain2
--check test_chain -p tcp -m multiport --dports 20003,20004,20013,20014 -j DROP
COMMIT
*nat
--check PREROUTING -j test_chain
COMMIT


# iptables-restore --noflush --verbose < /vagrant/fail1.check
iptables-restore v1.8.2 (nf_tables): Extension does not know id 63



Steps To ReproduceTo reproduce:

# ipset create test_set hash:net
# ipset create test.set.v4.1 hash:net
# ipset create test.set.v4.2 hash:net
# ipset create test.set.v4.3 hash:net
# ipset create test.set.v4.4 hash:net
# ipset create test.set.v4.5 hash:net
# ipset create test.set.v4.6 hash:net
# iptables-restore < /vagrant/fill_iptables

# cat /vagrant/fill_iptables

# Generated by xtables-save v1.8.2 on Tue Jun 2 09:45:46 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:test_chain - [0:0]
:jump_chain - [0:0]
:jump_chain2 - [0:0]
-A INPUT -j test_chain
-A test_chain -m set --match-set test.set.v4.1 src -j RETURN
-A test_chain -m set --match-set test.set.v4.2 src -j RETURN
-A test_chain -m set --match-set test.set.v4.3 src -j RETURN
-A test_chain -m set --match-set test.set.v4.4 src -j RETURN
-A test_chain -m set --match-set test.set.v4.5 src -j DROP
-A test_chain -m set --match-set test.set.v4.6 src -j DROP
-A test_chain -j jump_chain
-A test_chain -p tcp -m multiport --dports 20003,20004,20013,20014 -j DROP
-A test_chain -j jump_chain2
-A test_chain -m set --match-set test_set src -j RETURN
COMMIT
# Completed on Tue Jun 2 09:45:46 2020
# Generated by xtables-save v1.8.2 on Tue Jun 2 09:45:46 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:test_chain - [0:0]
-A PREROUTING -j test_chain
-A test_chain -m set --match-set test_set src -j RETURN
COMMIT
# Completed on Tue Jun 2 09:45:46 2020

# cat /vagrant/fail1.check
*filter
--check INPUT -j test_chain
--check test_chain -j jump_chain
--check test_chain -j jump_chain2
--check test_chain -p tcp -m multiport --dports 20003,20004,20013,20014 -j DROP
COMMIT
*nat
--check PREROUTING -j test_chain
COMMIT


# iptables-restore --noflush --verbose < /vagrant/fail1.check
iptables-restore v1.8.2 (nf_tables): Extension does not know id 63



It may be examined with Vagrant:

git clone https://github.com/zztalker/centos8iptables_bug.git
cd centos8iptables_bug/c8
vagrant up && vagrant ssh -c "sudo bash /vagrant/fails.sh"

Tagsiptables

Activities

MrDoggie

MrDoggie

2020-07-28 18:22

reporter   ~0037435

Encountered the same issue with iptables-1.8.2. But the issue went away after I upgraded to iptables-1.8.4
zztalker

zztalker

2020-08-04 14:46

reporter   ~0037485

Confirm, the issue looks like solved with iptables 1.8.4

Issue History

Date Modified Username Field Change
2020-06-17 15:30 zztalker New Issue
2020-06-17 15:30 zztalker Tag Attached: iptables
2020-07-28 18:22 MrDoggie Note Added: 0037435
2020-08-04 14:46 zztalker Note Added: 0037485