| View previous topic :: View next topic |
| Author |
Message |
Genztoo
n00b
Joined: 18 Feb 2025
Posts: 4
|
 Posted: Tue Feb 18, 2025 9:29 am Post subject: [SOLVED] iptables-nft can't check if a rule exists |
 |
|
Hi, friends! I have been encountering a very strange problem for a few days.
Short description
| Code: | | iptables-legacy -v --wait -t filter -C FORWARD -i br-28887390c104 -o br-28887390c104 -j ACCEPT |
shows:
| Code: | ACCEPT all opt -- in br-28887390c104 out br-28887390c104 0.0.0.0/0 -> 0.0.0.0/0
iptables: Bad rule (does a matching rule exist in that chain?).
|
But,
| Code: | | iptables-nft -v --wait -t filter -C FORWARD -i br-28887390c104 -o br-28887390c104 -j ACCEPT |
shows:
| Code: | | ACCEPT all opt -- in docker0 out docker0 0.0.0.0/0 -> 0.0.0.0/0 |
Background
I decided to migrate my firewall from iptables to nftables and use firewalld. When I switched iptables from xtables-legacy-multi to xtables-nft-multi using eselect, I found that the website hosted on my Gentoo server with Docker was inaccessible. I checked Docker's debug output and found that Docker runs `iptables -t filter -C FORWARD ...` to check whether a rule already exists. With xtables-legacy-multi, the command returns `Bad rule`, so Docker inserts the rule using `iptables -t filter -I FORWARD ...`. However, with xtables-nft-multi, the command returns successfully without an error. It seems that iptables considers the existing FORWARD rule from docker0 to docker0 as the rule Docker is checking for. Thus, Docker does not insert the rule.
This problem doesn't occur on Ubuntu. So I modified my Gentoo kernel configuration according to Ubuntu, but still doesn't work.
 Any help would be appreciated.
Last edited by Genztoo on Tue Feb 18, 2025 10:09 pm; edited 1 time in total |
|
| Back to top |
|
 |
Genztoo
n00b
Joined: 18 Feb 2025
Posts: 4
|
| Posted: Tue Feb 18, 2025 6:46 pm Post subject: Have tried this on Gentoo Live CD |
|
|
| I have tried these two commands on Gentoo's Live CD and encountered the same problem. I can confirm that the issue is not caused by my system configuration. |
|
| Back to top |
|
|
Genztoo
n00b
Joined: 18 Feb 2025
Posts: 4
|
| Posted: Tue Feb 18, 2025 8:21 pm Post subject: |
|
|
| I cloned the upstream git repository from https://git.netfilter.org/iptables.git. Compiled and tested it. The upstream iptables-nft returns `Bad rule`. Therefore I can confirm that the issue exists only in the Gentoo package. |
|
| Back to top |
|
|
Genztoo
n00b
Joined: 18 Feb 2025
Posts: 4
|
| Posted: Tue Feb 18, 2025 10:04 pm Post subject: Problem resolved |
|
|
Hi, everyone! How stupid I was! I have finally solved this problem.
I checked the git log of the upstream repository and found this commit: "nft: fix interface comparisons in `-C` commands", http://git.netfilter.org/iptables/commit/?id=40406dbfaefbc204134452b2747bae4f6a122848.
I exported this commit as a patch file, put it in /etc/portage/patches, re-emerged iptables package, and it worked! |
|
| Back to top |
|
|
|
Networking & Security
