I think this is fixed in iptables git: https://git.netfilter.org/iptables/commit/?id=64e88114437072b29bed8aae9eb04ed5e773708f
BTW, iptables git has many fixes for Debian reported bugs (mostly since buster). Il giorno mar 3 set 2019 alle ore 15:30 Colin Watson <cjwat...@debian.org> ha scritto: > > Package: iptables > Version: 1.8.3-2 > Severity: normal > > When running an i386 container on an amd64 host system, "iptables -D" > fails to match existing rules correctly: > > # iptables -A OUTPUT -p tcp --dport 80 -j DROP > # iptables -D OUTPUT -p tcp --dport 80 -j DROP > iptables: Bad rule (does a matching rule exist in that chain?). > > Some gdb work revealed that this is because match_size is wrong: it's > based on alignof(struct xt_align), and when adding a new rule the > kernel's netfilter compat interfaces adjust match_size to account for > the difference between userspace and kernel alignment, but this means > that the size isn't what userspace expects when it tries to match > existing rules. > > -- System Information: > Debian Release: bullseye/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: i386 (i686) > > Kernel: Linux 5.2.0-10-generic (SMP w/1 CPU core) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 > (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages iptables depends on: > ii libc6 2.28-10 > ii libip4tc2 1.8.3-2 > ii libip6tc2 1.8.3-2 > ii libiptc0 1.8.3-2 > ii libmnl0 1.0.4-2+b1 > ii libnetfilter-conntrack3 1.0.7-2 > ii libnfnetlink0 1.0.1-3+b1 > ii libnftnl11 1.1.4-1 > ii libxtables12 1.8.3-2 > > Versions of packages iptables recommends: > ii nftables 0.9.2-1 > > Versions of packages iptables suggests: > pn kmod <none> > > -- no debconf information > > -- > Colin Watson [cjwat...@debian.org] >
