Bug 1459676

Summary:	Regression: Deleting iptables rules stopped working
Product:	[Fedora] Fedora	Reporter:	Andrew Vagin <avagin>
Component:	kernel	Assignee:	Kernel Maintainer List <kernel-maint>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	25	CC:	fwestpha, gansalmon, ichavero, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	kernel-4.11.7-300.fc26	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-07-07 22:59:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Andrew Vagin 2017-06-07 18:51:45 UTC

Description of problem:
[root@zdtm ~]# iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
[root@zdtm ~]# iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
[root@zdtm ~]# uname -a
Linux zdtm.openvz.org 4.11.3-200.fc25.x86_64 #1 SMP Thu May 25 19:03:07 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

The same set of commands works fine on previous kernels
[root@zdtm ~]# iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
[root@zdtm ~]# iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP
[root@zdtm ~]# uname -a



Version-Release number of selected component (if applicable):


How reproducible:
100%


Steps to Reproduce:
1. unshare -n
2. iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
3. iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP

Actual results:
iptables returns the error and non-zero exit code

Expected results:
iptables exits with 0 without errors


Additional info:

Comment 1 Andrew Vagin 2017-06-07 18:59:30 UTC

[root@zdtm ~]# unshare -n
[root@zdtm ~]# iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
[root@zdtm ~]# iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP
[root@zdtm ~]# echo $?
0
[root@zdtm ~]# uname -a
Linux zdtm.openvz.org 4.12.0-0.rc3.git0.2.fc27.x86_64+debug #1 SMP Tue May 30 19:21:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Comment 2 Florian Westphal 2017-06-21 08:45:21 UTC

This was fixed with
commit 324318f0248c31be8a08984146e7e4dd7cdd091d
netfilter: xtables: zero padding in data_to_user

I've sent a request to include it in 4.11.y to stable maintainers.

Comment 3 Andrew Vagin 2017-06-21 18:03:32 UTC

Florian, thank you

Comment 4 Fedora Update System 2017-06-26 21:50:21 UTC

kernel-4.11.7-300.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-44d91780a0

Comment 5 Fedora Update System 2017-06-26 21:51:55 UTC

kernel-4.11.7-200.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f852596f

Comment 6 Fedora Update System 2017-06-26 21:52:45 UTC

kernel-4.11.7-100.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbfb70fc1d

Comment 7 Fedora Update System 2017-06-27 17:20:43 UTC

kernel-4.11.7-100.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbfb70fc1d

Comment 8 Fedora Update System 2017-06-27 17:25:58 UTC

kernel-4.11.7-200.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f852596f

Comment 9 Fedora Update System 2017-06-27 20:25:15 UTC

kernel-4.11.7-300.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-44d91780a0

Comment 10 Fedora Update System 2017-06-30 00:49:50 UTC

kernel-4.11.7-200.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2017-06-30 14:53:37 UTC

kernel-4.11.8-100.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4880e0f183

Comment 12 Andrew Vagin 2017-06-30 18:56:47 UTC

4.11.7 works as expected, thanks.

Comment 13 Fedora Update System 2017-07-02 03:22:55 UTC

kernel-4.11.8-100.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4880e0f183

Comment 14 Fedora Update System 2017-07-04 00:20:55 UTC

kernel-4.11.8-100.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2017-07-07 22:59:54 UTC

kernel-4.11.7-300.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.