Open haeho7 opened 8 months ago
Alpine 3.19 container image reports an error when deleting iptables rules, but deleting it on the host is normal.
The process to reproduce the problem is as follows:
docker run -itd --name=alpine-319 --network=host --privileged=true alpine:3.19 docker exec -it alpine-319 sh / # apk add --no-cache iptables iptables-legacy ip6tables tzdata wireguard-tools=1.0.20210914-r3 wireguard-tools-doc=1.0.20210914-r3 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz (1/24) Installing libmnl (1.0.5-r2) (2/24) Installing libnftnl (1.2.6-r0) (3/24) Installing libxtables (1.8.10-r3) (4/24) Installing iptables (1.8.10-r3) (5/24) Installing libip4tc (1.8.10-r3) (6/24) Installing libip6tc (1.8.10-r3) (7/24) Installing iptables-legacy (1.8.10-r3) (8/24) Installing tzdata (2023d-r0) (9/24) Installing wireguard-tools-wg (1.0.20210914-r3) (10/24) Installing libcap2 (2.69-r1) (11/24) Installing zstd-libs (1.5.5-r8) (12/24) Installing libelf (0.190-r1) (13/24) Installing iproute2-minimal (6.6.0-r0) (14/24) Installing iproute2-tc (6.6.0-r0) (15/24) Installing iproute2-ss (6.6.0-r0) (16/24) Installing iproute2 (6.6.0-r0) Executing iproute2-6.6.0-r0.post-install (17/24) Installing ncurses-terminfo-base (6.4_p20231125-r0) (18/24) Installing libncursesw (6.4_p20231125-r0) (19/24) Installing readline (8.2.1-r2) (20/24) Installing bash (5.2.21-r0) Executing bash-5.2.21-r0.post-install (21/24) Installing openresolv (3.13.2-r0) (22/24) Installing wireguard-tools-wg-quick (1.0.20210914-r3) (23/24) Installing wireguard-tools (1.0.20210914-r3) (24/24) Installing wireguard-tools-doc (1.0.20210914-r3) Executing busybox-1.36.1-r15.trigger OK: 18 MiB in 39 packages / # iptables -V iptables v1.8.10 (nf_tables)
/ # iptables -A FORWARD -i wg-vps -j ACCEPT; iptables -A FORWARD -o wg-vps -j ACCEPT / # iptables -t mangle -A POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu / # iptables-save | grep wg -A POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i wg-vps -j ACCEPT -A FORWARD -o wg-vps -j ACCEPT / # iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1433K 443M GFW_DEFENSE 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 193 udp2rawDwrW_6c17f961_C0 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1800 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- wg-vps * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * wg-vps 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain GFW_DEFENSE (1 references) pkts bytes target prot opt in out source destination 1406K 440M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 9462 1062K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src 387 20129 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src 17849 2741K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain udp2rawDwrW_6c17f961_C0 (1 references) pkts bytes target prot opt in out source destination 3 193 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
iptables -D FORWARD -o wg-vps -j ACCEPT
does a matching rule exist in that chain?
/ # iptables -D FORWARD -i wg-vps -j ACCEPT / # iptables -D FORWARD -o wg-vps -j ACCEPT iptables: Bad rule (does a matching rule exist in that chain?). / # iptables -t mangle -D POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu / # iptables-save | grep wg -A FORWARD -o wg-vps -j ACCEPT / # iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1436K 444M GFW_DEFENSE 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 193 udp2rawDwrW_6c17f961_C0 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1800 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * wg-vps 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain GFW_DEFENSE (1 references) pkts bytes target prot opt in out source destination 1408K 440M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 9483 1064K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src 388 20189 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src 17929 2752K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain udp2rawDwrW_6c17f961_C0 (1 references) pkts bytes target prot opt in out source destination 3 193 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
root@LAXB ~ # cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" root@LAXB ~ # uname -mrs Linux 6.0.0-0.deb11.6-amd64 x86_64 root@LAXB ~ # docker info Client: Context: default Debug Mode: false Plugins: compose: Docker Compose (Docker Inc.) Version: v2.16.0 Path: /usr/libexec/docker/cli-plugins/docker-compose Server: Containers: 6 Running: 6 Paused: 0 Stopped: 0 Images: 7 Server Version: 23.0.1 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc io.containerd.runc.v2 Default Runtime: runc Init Binary: docker-init containerd version: 2456e983eb9e37e47538f59ea18f2043c9a73640 runc version: v1.1.4-0-g5fd4c4d init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.0.0-0.deb11.6-amd64 Operating System: Debian GNU/Linux 11 (bullseye) OSType: linux Architecture: x86_64 CPUs: 1 Total Memory: 471.9MiB Name: LAXB ID: 3f740c04-20c9-4621-9db2-8e33c2be088a Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false root@LAXB ~ # docker-compose version Docker Compose version v2.16.0
root@LAXB ~ # iptables-save | grep wg -A FORWARD -o wg-vps -j ACCEPT root@LAXB ~ # iptables -D FORWARD -o wg-vps -j ACCEPT root@LAXB ~ # iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1451K 448M GFW_DEFENSE all -- * * 0.0.0.0/0 0.0.0.0/0 3 193 udp2rawDwrW_6c17f961_C0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain GFW_DEFENSE (1 references) pkts bytes target prot opt in out source destination 1423K 444M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 9536 1067K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src 393 20453 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src 18024 2766K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain udp2rawDwrW_6c17f961_C0 (1 references) pkts bytes target prot opt in out source destination 3 193 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Alpine 3.19 container image information
root@LAXB ~ # docker image inspect alpine:3.19 [ { "Id": "sha256:f8c20f8bbcb684055b4fea470fdd169c86e87786940b3262335b12ec3adef418", "RepoTags": [ "alpine:3.19" ], "RepoDigests": [ "alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48" ], "Parent": "", "Comment": "", "Created": "2023-12-08T01:20:49.650406179Z", "Container": "f2f93a8109b6034cb27137e7cb0a77417b4d7529cde89524d455964455c0d23a", "ContainerConfig": { "Hostname": "f2f93a8109b6", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "/bin/sh", "-c", "#(nop) ", "CMD [\"/bin/sh\"]" ], "Image": "sha256:c068232ea3eea78e6800063b9b599c95911729d5c8dd2a2b737684998eefb10a", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": {} }, "DockerVersion": "20.10.23", "Author": "", "Config": { "Hostname": "", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "/bin/sh" ], "Image": "sha256:c068232ea3eea78e6800063b9b599c95911729d5c8dd2a2b737684998eefb10a", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": null }, "Architecture": "amd64", "Os": "linux", "Size": 7377066, "VirtualSize": 7377066, "GraphDriver": { "Data": { "MergedDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/merged", "UpperDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/diff", "WorkDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/work" }, "Name": "overlay2" }, "RootFS": { "Type": "layers", "Layers": [ "sha256:5af4f8f59b764c64c6def53f52ada809fe38d528441d08d01c206dfb3fc3b691" ] }, "Metadata": { "LastTagTime": "0001-01-01T00:00:00Z" } } ]
Alpine 3.19 container image reports an error when deleting iptables rules, but deleting it on the host is normal.
The process to reproduce the problem is as follows:
iptables -D FORWARD -o wg-vps -j ACCEPT
, an error is reporteddoes a matching rule exist in that chain?
.Alpine 3.19 container image information