Opened 3 years ago

Closed 2 years ago

#1432 closed (fixed)

iptables -D <chain> <rule> doesn't work on K26

Reported by: frater Owned by: somebody
Keywords: Cc: elsdoerfer

Description

iptables -D <chain> <rulenumber> does work. iptables -D <chain> <rule> does NOT work.

The K24-builds do not have this problem

It may have something to do with change: http://svn.dd-wrt.com:8000/dd-wrt/changeset/13527 It is confirmed to work on K24 builds.

The rule is not deleted after issuing the command iptables -D test -m state --state RELATED,ESTABLISHED -j ACCEPT 

iptables -N test
iptables -A test -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -nL test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

iptables -D test -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -nL test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

iptables -D test 1
iptables -nL test
Chain test (0 references)
target     prot opt source               destination
iptables -X test

Attachments (1)

nf_patch_2.6.24.111_rev17094 (892 bytes) - added by philocompute 2 years ago.
Patch to Netfilter

Download all attachments as: .zip

Change History (13)

comment:1 Changed 3 years ago by dc

  • milestone set to v24 final
  • severity set to thoughtliu
  • version set to 2.0

This problem still exists on R14205 K26 using std-nokaid-small on a wrt160nv3 router.

comment:2 Changed 3 years ago by frater

http://svn.dd-wrt.com:8000/dd-wrt/ticket/1351

The bug was mentioned here as well

comment:3 Changed 3 years ago by anonymous

  • milestone v24 final deleted

Milestone v24 final deleted

comment:4 Changed 3 years ago by phuzi0n

  • Resolution set to worksforme
  • Status changed from new to closed

I'm not sure when exactly this was fixed but it's working fine for me now on DD-WRT v24-sp2 (05/21/10) big - build 14471M NEWD-2 K2.6 Eko

comment:5 Changed 3 years ago by frater

  • Resolution worksforme deleted
  • Status changed from closed to reopened

It doesn't pass the test I gave as an example (ESTABLISHED, RELATED). It did however delete a rule with '-p tcp --dport 25' 

root@WDS:~# iptables -N test
root@WDS:~# iptables -A test -m state --state RELATED,ESTABLISHED -j ACCEPT
root@WDS:~#
root@WDS:~# iptables -nL test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
root@WDS:~# iptables -D test -m state --state RELATED,ESTABLISHED -j ACCEPT
root@WDS:~# iptables -nL test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
root@WDS:~# iptables -A test -p tcp --dport 25 -j ACCEPT
root@WDS:~# iptables -nL test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
root@WDS:~# iptables -D test -p tcp --dport 25 -j ACCEPT
root@WDS:~# iptables -nL test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

It's a shame I didn't test that other rule when I opened the ticket...

@phuzion: Can you test with exactly the same rules?

I tested both 14289 & 14684. So it doesn't work reliable and should not be used.

comment:6 Changed 3 years ago by phuzi0n

The example does still fail apparently, but most other rules can be deleted by specifying matching options.

comment:7 Changed 3 years ago by Kong

Hi guys I have been following the problem with ESTABLISHED, RELATED rule.

I don't have a forum account so I just add this info here. Checkout some interesting benchmark results concerning the forward rule for ESTABLISHED, RELATED rule:

http://www.myopenrouter.com/forum/thread/21393/WNR3500L-WAN-to-LAN-throughput-using-different-firmwares/?page=1

comment:8 Changed 3 years ago by elsdoerfer

  • Cc elsdoerfer added

comment:9 Changed 2 years ago by fractal

Confirmed as of 17027 - that this bug still exists..

Iptables -delete chain rule syntax is broken.

Only part that works on K26 is -D #Rulenumber

K.24 All functions working.

comment:10 Changed 2 years ago by philocompute

More specifically, as of 17027: 

iptables -D <rule-specification>

does not work. 

iptables -D <rule-num>

does work. I have also gone back and confirmed that these rules do work as advertised on 2.4 kernel based model. (On a WRT54GL with firmware from 2010)

Example: This is just one example. I have tried several variations of this kind of thing and all point to -D <rule-specification> not working. 

root@e3000USB:/opt# iptables -N test_chain -t nat
root@e3000USB:/opt# iptables -L POSTROUTING -t nat -n -v
Chain POSTROUTING (policy ACCEPT 14 packets, 1450 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  283 19635 SNAT       0    --  *      vlan2   0.0.0.0/0            0.0.0.0/0           to:10.13.2.129 
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 MASQUERADE  0    --  *      vlan2   192.168.180.0/24     0.0.0.0/0           
root@e3000USB:/opt# iptables -I POSTROUTING -t nat -s 0.0.0.0/0 -d 0.0.0.0/0 -j test_chain         
root@e3000USB:/opt# iptables -L POSTROUTING -t nat -n -v
Chain POSTROUTING (policy ACCEPT 14 packets, 1450 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 test_chain  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  283 19635 SNAT       0    --  *      vlan2   0.0.0.0/0            0.0.0.0/0           to:10.13.2.129 
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 MASQUERADE  0    --  *      vlan2   192.168.180.0/24     0.0.0.0/0           
root@e3000USB:/opt# iptables -D POSTROUTING -t nat -s 0.0.0.0/0 -d 0.0.0.0/0 -j test_chain
root@e3000USB:/opt# iptables -L POSTROUTING -t nat -n -v
Chain POSTROUTING (policy ACCEPT 14 packets, 1450 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 test_chain  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  283 19635 SNAT       0    --  *      vlan2   0.0.0.0/0            0.0.0.0/0           to:10.13.2.129 
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 MASQUERADE  0    --  *      vlan2   192.168.180.0/24     0.0.0.0/0   
root@e3000USB:/opt# iptables -D POSTROUTING -t nat -p -i -o -s 0.0.0.0/0 -d 0.0.0.0/0 -j test_chain
root@e3000USB:/opt# iptables -L POSTROUTING -t nat -n -v
Chain POSTROUTING (policy ACCEPT 14 packets, 1450 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 test_chain  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  283 19635 SNAT       0    --  *      vlan2   0.0.0.0/0            0.0.0.0/0           to:10.13.2.129 
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 MASQUERADE  0    --  *      vlan2   192.168.180.0/24     0.0.0.0/0           
root@e3000USB:/opt# iptables -D POSTROUTING 1 -t nat                                               
root@e3000USB:/opt# iptables -L POSTROUTING -t nat -n -v
Chain POSTROUTING (policy ACCEPT 14 packets, 1450 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  283 19635 SNAT       0    --  *      vlan2   0.0.0.0/0            0.0.0.0/0           to:10.13.2.129 
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 MASQUERADE  0    --  *      vlan2   192.168.180.0/24     0.0.0.0/0
Last edited 2 years ago by philocompute (previous) (diff)

Changed 2 years ago by philocompute

Patch to Netfilter

comment:12 Changed 2 years ago by frater

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.