Bug 1459676 - Regression: Deleting iptables rules stopped working
Regression: Deleting iptables rules stopped working
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
25
x86_64 Linux
urgent Severity urgent
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-07 14:51 EDT by Andrew Vagin
Modified: 2017-07-07 18:59 EDT (History)
8 users (show)

See Also:
Fixed In Version: kernel-4.11.7-300.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-07 18:59:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Vagin 2017-06-07 14:51:45 EDT
Description of problem:
[root@zdtm ~]# iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
[root@zdtm ~]# iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
[root@zdtm ~]# uname -a
Linux zdtm.openvz.org 4.11.3-200.fc25.x86_64 #1 SMP Thu May 25 19:03:07 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

The same set of commands works fine on previous kernels
[root@zdtm ~]# iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
[root@zdtm ~]# iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP
[root@zdtm ~]# uname -a



Version-Release number of selected component (if applicable):


How reproducible:
100%


Steps to Reproduce:
1. unshare -n
2. iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
3. iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP

Actual results:
iptables returns the error and non-zero exit code

Expected results:
iptables exits with 0 without errors


Additional info:
Comment 1 Andrew Vagin 2017-06-07 14:59:30 EDT
[root@zdtm ~]# unshare -n
[root@zdtm ~]# iptables -w -t filter --protocol tcp -A INPUT --dport 12345 -j DROP
[root@zdtm ~]# iptables -w -t filter --protocol tcp -D INPUT --dport 12345 -j DROP
[root@zdtm ~]# echo $?
0
[root@zdtm ~]# uname -a
Linux zdtm.openvz.org 4.12.0-0.rc3.git0.2.fc27.x86_64+debug #1 SMP Tue May 30 19:21:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Comment 2 Florian Westphal 2017-06-21 04:45:21 EDT
This was fixed with
commit 324318f0248c31be8a08984146e7e4dd7cdd091d
netfilter: xtables: zero padding in data_to_user

I've sent a request to include it in 4.11.y to stable maintainers.
Comment 3 Andrew Vagin 2017-06-21 14:03:32 EDT
Florian, thank you
Comment 4 Fedora Update System 2017-06-26 17:50:21 EDT
kernel-4.11.7-300.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-44d91780a0
Comment 5 Fedora Update System 2017-06-26 17:51:55 EDT
kernel-4.11.7-200.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f852596f
Comment 6 Fedora Update System 2017-06-26 17:52:45 EDT
kernel-4.11.7-100.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbfb70fc1d
Comment 7 Fedora Update System 2017-06-27 13:20:43 EDT
kernel-4.11.7-100.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbfb70fc1d
Comment 8 Fedora Update System 2017-06-27 13:25:58 EDT
kernel-4.11.7-200.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f852596f
Comment 9 Fedora Update System 2017-06-27 16:25:15 EDT
kernel-4.11.7-300.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-44d91780a0
Comment 10 Fedora Update System 2017-06-29 20:49:50 EDT
kernel-4.11.7-200.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2017-06-30 10:53:37 EDT
kernel-4.11.8-100.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4880e0f183
Comment 12 Andrew Vagin 2017-06-30 14:56:47 EDT
4.11.7 works as expected, thanks.
Comment 13 Fedora Update System 2017-07-01 23:22:55 EDT
kernel-4.11.8-100.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4880e0f183
Comment 14 Fedora Update System 2017-07-03 20:20:55 EDT
kernel-4.11.8-100.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2017-07-07 18:59:54 EDT
kernel-4.11.7-300.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.