[pkg-netfilter-team] Bug#1051518: iptables: ip6tables `-C` option seems to be broke in bookworm v1.8.9

Chris Francy zoredache at gmail.com
Sat Sep 9 01:20:31 BST 2023 

Package: iptables
Version: 1.8.9-2
Severity: normal
Tags: ipv6 upstream
X-Debbugs-Cc: zoredache at gmail.com

Dear Maintainer,

I am running docker, Some containers I have published ports. Docker adds
iptables rules to make this work. Since upgrading to bookworm Docker is not
adding the correct rules to my ipv6 tables.  This worked perfectly fine on my
bullseye system.

After viewing lots of the strace output and docker debug logs I believe I
am pretty sure there is a bug in ip6tables-legacy. The `-C` option of
ip6tables-legacy should return an exit code of 1 if a rule does not
exist.  On my bookworm system, it seems to return 0 no matter what.

  # ip6tables-legacy --version
  ip6tables v1.8.9 (legacy)
  # ip6tables-legacy-save | grep DNAT
  -A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination
[fd6c:d0ed:2749:2114::1:2]:443
  # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j
DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443
; echo $?
  0
  # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT
--to-destination [fd6c:d0ed:2749:2114::1:2]:80 ;
echo $?
  0

I manually built iptables v1.8.7 from source, and installed it in an alternative
directory, and used the 'alternatives' system to use my version, and that
fixed my problem with docker published ports.

  # ip6tables-legacy --version
  ip6tables v1.8.7 (legacy)
  # ip6tables-legacy-save | grep DNAT
  -A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination
[fd6c:d0ed:2749:2114::1:2]:443
  # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j
DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443
; echo $?
  0
  # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT
--to-destination [fd6c:d0ed:2749:2114::1:2]:80 ;
echo $?
  ip6tables: No chain/target/match by that name.
  1

Chris

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-11-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages iptables depends on:
ii  libc6                    2.36-9+deb12u1
ii  libip4tc2                1.8.9-2
ii  libip6tc2                1.8.9-2
ii  libmnl0                  1.0.4-3
ii  libnetfilter-conntrack3  1.0.9-3
ii  libnfnetlink0            1.0.2-2
ii  libnftnl11               1.2.4-2
ii  libxtables12             1.8.9-2
ii  netbase                  6.4

Versions of packages iptables recommends:
ii  nftables  1.0.6-2+deb12u1

Versions of packages iptables suggests:
pn  firewalld  <none>
pn  kmod       <none>

-- no debconf information

More information about the pkg-netfilter-team mailing list