Description of problem: Version of iptables 1.8.11 packaged with Fedora 42 contains a bug that makes iptables -C command return 0 exit status for non existent rules, this breaks some applications like docker Version-Release number of selected component (if applicable): 1.18.1 $ iptables -V iptables v1.8.11 (nf_tables) How reproducible: always Steps to Reproduce: 1. iptables -A INPUT -i eth_nonexist -j ACCEPT 2. iptables -C INPUT -i eth_nonexist -j ACCEPT; echo $? 3. iptables -C INPUT -i eth_nonexist_1 -j ACCEPT; echo $? Actual results: 0 0 Expected results: 0 iptables: Bad rule (does a matching rule exist in that chain?). 1 Additional info: This problem was fixed in upstream commit https://git.netfilter.org/iptables/commit/?id=40406dbfaefbc204134452b2747bae4f6a122848 Arch Linux patched this same problem https://gitlab.archlinux.org/archlinux/packaging/packages/iptables/-/merge_requests/3
Can confirm. Breaks docker functionality in fedora 42
To be more specific, this causes all docker containers on Fedora 42 to not have an internet connection, essentially breaking a lot of functionality. A lot of people are having this issue
This breaks more then just docker, for me it breaks internet connectivity all together, on a machine with a wired connection. Really hope there's a patch for this soon.
Yes same for me. Really annoying for docker. Downgrading to iptables from fedora 41 unblock this
(In reply to Hugo Posnic from comment #4) > Yes same for me. Really annoying for docker. > Downgrading to iptables from fedora 41 unblock this Not a bad idea. But you could probably just disable firewalld and switch to nftables directly until a patch is released.
I have tried to apply the upstream patch and can confirm it fixes the issue. I have used the following steps: create and enter rpmbuild sources directory 1) mkdir -vp ~/rpmbuild/SOURCES 2) cd ~/rpmbuild/SOURCES download source package 3) dnf download --source iptables unpack rpm 4) rpm2archive iptables-1.8.11-4.fc42.src.rpm 5) tar -xvf iptables-1.8.11-4.fc42.src.rpm.tgz download upstream patch 6) wget -O 40406dbfaefbc204134452b2747bae4f6a122848.patch 'https://git.netfilter.org/iptables/patch/?id=40406dbfaefbc204134452b2747bae4f6a122848' insert patch in .spec file 7) sed -Ei 's/(^Source0:)/Patch0: 40406dbfaefbc204134452b2747bae4f6a122848.patch\n\1/g' iptables.spec download dependenices for build 8) dnf builddep iptables.spec build rpm 9) rpmbuild -ba iptables.spec install patched RPMs 10) dnf reinstall ~/rpmbuild/RPMS/*/*.rpm
(In reply to pssgcsim from comment #6) > I have tried to apply the upstream patch and can confirm it fixes the issue. > I have used the following steps: > > create and enter rpmbuild sources directory > > 1) mkdir -vp ~/rpmbuild/SOURCES > 2) cd ~/rpmbuild/SOURCES > > download source package > > 3) dnf download --source iptables > > unpack rpm > > 4) rpm2archive iptables-1.8.11-4.fc42.src.rpm > > 5) tar -xvf iptables-1.8.11-4.fc42.src.rpm.tgz > > download upstream patch > > 6) wget -O 40406dbfaefbc204134452b2747bae4f6a122848.patch > 'https://git.netfilter.org/iptables/patch/ > ?id=40406dbfaefbc204134452b2747bae4f6a122848' > > insert patch in .spec file > > 7) sed -Ei 's/(^Source0:)/Patch0: > 40406dbfaefbc204134452b2747bae4f6a122848.patch\n\1/g' iptables.spec > > download dependenices for build > > 8) dnf builddep iptables.spec > > build rpm > > 9) rpmbuild -ba iptables.spec > > install patched RPMs > > 10) dnf reinstall ~/rpmbuild/RPMS/*/*.rpm So I followed this successfully, rebooted and still I am stuck. [rami] ~ % ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. From 192.168.1.122 icmp_seq=1 Destination Port Unreachable ping: sendmsg: Operation not permitted From 192.168.1.122 icmp_seq=2 Destination Port Unreachable ping: sendmsg: Operation not permitted From 192.168.1.122 icmp_seq=3 Destination Port Unreachable ping: sendmsg: Operation not permitted ^C --- 1.1.1.1 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2072ms I tried using nftables without firewalld, i tried reverting to iptables-lagacy.. nothing works. For me to be able to get a connection after boot I must run: sudo iptables -F sudo nft flush ruleset I still font really know what is the cause of this problem.
(In reply to pssgcsim from comment #6) > I have tried to apply the upstream patch and can confirm it fixes the issue. > I have used the following steps: > > create and enter rpmbuild sources directory > > 1) mkdir -vp ~/rpmbuild/SOURCES > 2) cd ~/rpmbuild/SOURCES > > download source package > > 3) dnf download --source iptables > > unpack rpm > > 4) rpm2archive iptables-1.8.11-4.fc42.src.rpm > > 5) tar -xvf iptables-1.8.11-4.fc42.src.rpm.tgz > > download upstream patch > > 6) wget -O 40406dbfaefbc204134452b2747bae4f6a122848.patch > 'https://git.netfilter.org/iptables/patch/ > ?id=40406dbfaefbc204134452b2747bae4f6a122848' > > insert patch in .spec file > > 7) sed -Ei 's/(^Source0:)/Patch0: > 40406dbfaefbc204134452b2747bae4f6a122848.patch\n\1/g' iptables.spec > > download dependenices for build > > 8) dnf builddep iptables.spec > > build rpm > > 9) rpmbuild -ba iptables.spec > > install patched RPMs > > 10) dnf reinstall ~/rpmbuild/RPMS/*/*.rpm Can also confirm that these steps and the listed patch solves the problem on Fedora 42 in docker containers.
Hey folks. I'll try and get an update pushed here this morning if I can...
FEDORA-2025-7f0b72a28a (iptables-1.8.11-6.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-7f0b72a28a
FEDORA-2025-4c37f9fd93 (iptables-1.8.11-5.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-4c37f9fd93
FEDORA-2025-7f0b72a28a (iptables-1.8.11-6.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.
Just coming back to say that my issue was actually related to strict VPN settings in my router. I'm an idiot. But it was this thread that was helpful in pointing me in the right direction so thanks.
FEDORA-2025-4c37f9fd93 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4c37f9fd93` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-4c37f9fd93 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-4c37f9fd93 (iptables-1.8.11-5.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.