Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exists() method returns false for existing rule. #79

Open
siddhant94 opened this issue Jan 4, 2021 · 1 comment
Open

Exists() method returns false for existing rule. #79

siddhant94 opened this issue Jan 4, 2021 · 1 comment

Comments

@siddhant94
Copy link

siddhant94 commented Jan 4, 2021
edited
Loading

I am using go-iptables v0.4.5,
The following function returns false for existing rules.

// Exists checks if given rulespec in specified table/chain exists
func (ipt *IPTables) Exists(table, chain string, rulespec ...string) (bool, error) {

My application is deployed on a node running ubuntu 20.04.1 LTS release.
For the below arg, the exists method return false whereas checking it manually I see it there.
table: filter, Chain: CUSTOM_CHAIN, rule: [-m comment --comment "Comment text" -j ACCEPT]

Also, the List(table, chain) method call works as expected and I am able to find my rule in its return value.

root@test-worker:/# iptables -t filter -C CUSTOM_CHAIN -m comment --comment "Comment text" -j ACCEPT
root@test-worker:/# echo $?
0
@siddhant94 siddhant94 changed the title Exists methods returns incorrect result Exists() methods returns incorrect result Jan 4, 2021
@siddhant94 siddhant94 changed the title Exists() methods returns incorrect result Inconsistent behaviour for Exists() method. Jan 5, 2021
@siddhant94 siddhant94 changed the title Inconsistent behaviour for Exists() method. Exists() method returns false for existing rule. Jan 5, 2021
@siddhant94 siddhant94 mentioned this issue Jan 5, 2021
Closed
@Rycieos Rycieos mentioned this issue Jan 9, 2021
Closed
@wursterje wursterje mentioned this issue Mar 27, 2021
Closed
@brandond
Copy link

brandond commented Mar 30, 2021
edited
Loading

Copy-pasting from the above-linked K3s issue:

There appears to be a bug in Debian's nftables kernel support that prevents it from properly checking iptables rules; it seems to reorder the modules so that they cannot be checked for in the order originally input:

root@debian10:~# /usr/sbin/iptables -t filter -I KUBE-ROUTER-INPUT 2 -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -m comment --comment "allow LOCAL TCP traffic to node ports" -j RETURN
root@debian10:~#

This works properly after running update-alternatives --set iptables /usr/sbin/iptables-legacy:

root@debian10:~# /usr/sbin/iptables -t filter -I KUBE-ROUTER-INPUT 2 -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -m comment --comment "allow LOCAL TCP traffic to node ports" -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
root@debian10:~#

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandond @siddhant94