Closed multun closed 5 years ago
Can you show me some example code?
import iptc
filter_table=iptc.Table('filter')
input_chain={c.name: c for c in filter_table.chains}['INPUT']
new_rule = iptc.Rule()
new_rule.src = '1.2.3.4/20'
new_rule.target = iptc.Target(new_rule, "LOG")
input_chain.append_rule(new_rule)
That rule seemingly can't be removed using -D:
$ iptables-save | grep 1\.2\.3\.4
-A INPUT -s 1.2.3.4/20 -j LOG
$ iptables -D INPUT -s 1.2.3.4/20 -j LOG
iptables: No chain/target/match by that name.
$ iptables -A INPUT -s 1.2.3.4/20 -j LOG
$ iptables-save | grep 1\.2\..\..
-A INPUT -s 1.2.3.4/20 -j LOG
-A INPUT -s 1.2.0.0/20 -j LOG
$ iptables -D INPUT -s 1.2.3.4/20 -j LOG
Hi @multun thank you for spotting this! I have submited PR https://github.com/ldx/python-iptables/pull/274 to address this issue.
The fix is now available in master
When adding a rule with, for example, source subnet src =
10.42.15.12/20
, python-iptables doesn't simplify the subnet to10.42.0.0/20
, which causes netfilter to brainfart and not match anything at all.Is it somehow intended ?