[pkg-netfilter-team] Bug#939336: iptables: fails to delete rules when running 32-bit userspace on 64-bit kernel

Fabio Pedretti pedretti.fabio at gmail.com
Tue Sep 3 14:33:51 BST 2019 

I think this is fixed in iptables git:
https://git.netfilter.org/iptables/commit/?id=64e88114437072b29bed8aae9eb04ed5e773708f

BTW, iptables git has many fixes for Debian reported bugs (mostly since buster).

Il giorno mar 3 set 2019 alle ore 15:30 Colin Watson
<cjwatson at debian.org> ha scritto:
>
> Package: iptables
> Version: 1.8.3-2
> Severity: normal
>
> When running an i386 container on an amd64 host system, "iptables -D"
> fails to match existing rules correctly:
>
>   # iptables -A OUTPUT -p tcp --dport 80 -j DROP
>   # iptables -D OUTPUT -p tcp --dport 80 -j DROP
>   iptables: Bad rule (does a matching rule exist in that chain?).
>
> Some gdb work revealed that this is because match_size is wrong: it's
> based on alignof(struct xt_align), and when adding a new rule the
> kernel's netfilter compat interfaces adjust match_size to account for
> the difference between userspace and kernel alignment, but this means
> that the size isn't what userspace expects when it tries to match
> existing rules.
>
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 5.2.0-10-generic (SMP w/1 CPU core)
> Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages iptables depends on:
> ii  libc6                    2.28-10
> ii  libip4tc2                1.8.3-2
> ii  libip6tc2                1.8.3-2
> ii  libiptc0                 1.8.3-2
> ii  libmnl0                  1.0.4-2+b1
> ii  libnetfilter-conntrack3  1.0.7-2
> ii  libnfnetlink0            1.0.1-3+b1
> ii  libnftnl11               1.1.4-1
> ii  libxtables12             1.8.3-2
>
> Versions of packages iptables recommends:
> ii  nftables  0.9.2-1
>
> Versions of packages iptables suggests:
> pn  kmod  <none>
>
> -- no debconf information
>
> --
> Colin Watson                                       [cjwatson at debian.org]
>

More information about the pkg-netfilter-team mailing list