search

coreos / go-iptables

Go wrapper around iptables utility
Apache License 2.0
1.11k stars 257 forks source link

Exists() method returns false for existing rule. #79

Open siddhant94 opened 3 years ago

siddhant94 commented 3 years ago

I am using go-iptables v0.4.5, The following function returns false for existing rules.

// Exists checks if given rulespec in specified table/chain exists
func (ipt *IPTables) Exists(table, chain string, rulespec ...string) (bool, error) {

My application is deployed on a node running ubuntu 20.04.1 LTS release. For the below arg, the exists method return false whereas checking it manually I see it there. table: filter, Chain: CUSTOM_CHAIN, rule: [-m comment --comment "Comment text" -j ACCEPT]

Also, the List(table, chain) method call works as expected and I am able to find my rule in its return value.

root@test-worker:/# iptables -t filter -C CUSTOM_CHAIN -m comment --comment "Comment text" -j ACCEPT
root@test-worker:/# echo $?
0
brandond commented 3 years ago

Copy-pasting from the above-linked K3s issue:

There appears to be a bug in Debian's nftables kernel support that prevents it from properly checking iptables rules; it seems to reorder the modules so that they cannot be checked for in the order originally input:

root@debian10:~# /usr/sbin/iptables -t filter -I KUBE-ROUTER-INPUT 2 -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -m comment --comment "allow LOCAL TCP traffic to node ports" -j RETURN
root@debian10:~#

This works properly after running update-alternatives --set iptables /usr/sbin/iptables-legacy:

root@debian10:~# /usr/sbin/iptables -t filter -I KUBE-ROUTER-INPUT 2 -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m comment --comment "allow LOCAL TCP traffic to node ports" -m multiport --dports 30000:32767 -j RETURN
root@debian10:~# /usr/sbin/iptables -t filter -C KUBE-ROUTER-INPUT   -p tcp -m addrtype --dst-type LOCAL -m multiport --dports 30000:32767 -m comment --comment "allow LOCAL TCP traffic to node ports" -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).
root@debian10:~#