865898 – iptables: No chain/target/match by that name

Bug 865898 - iptables: No chain/target/match by that name

Summary: iptables: No chain/target/match by that name

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-12 18:38 UTC by Lance Lassetter
Modified:	2013-02-07 07:24 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-07 07:24:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
backtrace (1.25 KB, text/plain) 2012-10-17 11:11 UTC, Jiri Popelka	no flags	Details
snippet from /var/log/messages (12.64 KB, text/plain) 2012-10-25 09:25 UTC, Jiri Popelka	no flags	Details
View All

Description Lance Lassetter 2012-10-12 18:38:27 UTC

Description of problem:  firewall-cmd cannot delete rules (nat?)


Version-Release number of selected component (if applicable):

firewalld-0.2.7-1.fc18.noarch

How reproducible:

constant

Steps to Reproduce:

1.# firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080

2.# firewall-cmd --list-forward-ports
port=80:proto=tcp:toport=8080:toaddr=

3.# firewall-cmd --zone=public --remove-forward-port=port=80:proto=tcp:toport=8080
Error: COMMAND_FAILED: '/sbin/iptables -D PRE_ZONE_public_allow -t mangle -p tcp --dport 80 -j MARK --set-mark 0x64' failed: iptables: No chain/target/match by that name.

4.# firewall-cmd --list-ports
8080/tcp
  
Actual results:  Port open in public zone leaving hole in firewall.


Expected results:  Delete added open port.


Additional info:   Unable to delete the port forward rule in the GUI as well.

Comment 1 Jiri Popelka 2012-10-15 11:21:50 UTC

I'm not able to reproduce it here.
What's the output of 'rpm -q iptables' and 'uname -a' ?

Comment 2 Jiri Popelka 2012-10-17 11:11:08 UTC

Created attachment 628689 [details]
backtrace

I actually see something similar with kernel-3.6.1-1.fc17
kernel-3.5.6-1.fc17 is ok.

Comment 3 Jiri Popelka 2012-10-25 09:25:58 UTC

Created attachment 633236 [details]
snippet from /var/log/messages

Still occurs from time to time even with kernel 3.6.2-4.fc17.x86_64
This time I'm seeing it it after firewalld service restart.

Now
'iptables -t filter -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT'
returns 'iptables: No chain/target/match by that name.'
and I can see the attached lines in /var/log/messages

Comment 4 Jiri Popelka 2012-10-25 09:27:34 UTC

# iptables-save
*filter
:INPUT ACCEPT [4781:1563336]
:FORWARD ACCEPT [114:6840]
:OUTPUT ACCEPT [3916:988198]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
COMMIT

Comment 5 Thomas Woerner 2012-10-25 09:59:30 UTC

Reassigning to kernel. See attachment in comment 3.

Comment 6 Josh Boyer 2012-11-13 14:56:34 UTC

Neil, any ideas here?

Comment 7 Jiri Popelka 2013-02-07 07:24:09 UTC

I no longer see this on kernel-3.7.5-201.fc18.x86_64

Note You need to log in before you can comment on or make changes to this bug.