Package: iptables Version: 1.8.9-2 Severity: normal Tags: ipv6 upstream X-Debbugs-Cc: zoreda...@gmail.com
Dear Maintainer, I am running docker, Some containers I have published ports. Docker adds iptables rules to make this work. Since upgrading to bookworm Docker is not adding the correct rules to my ipv6 tables. This worked perfectly fine on my bullseye system. After viewing lots of the strace output and docker debug logs I believe I am pretty sure there is a bug in ip6tables-legacy. The `-C` option of ip6tables-legacy should return an exit code of 1 if a rule does not exist. On my bookworm system, it seems to return 0 no matter what. # ip6tables-legacy --version ip6tables v1.8.9 (legacy) # ip6tables-legacy-save | grep DNAT -A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 ; echo $? 0 # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:80 ; echo $? 0 I manually built iptables v1.8.7 from source, and installed it in an alternative directory, and used the 'alternatives' system to use my version, and that fixed my problem with docker published ports. # ip6tables-legacy --version ip6tables v1.8.7 (legacy) # ip6tables-legacy-save | grep DNAT -A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 ; echo $? 0 # ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:80 ; echo $? ip6tables: No chain/target/match by that name. 1 Chris -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-11-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages iptables depends on: ii libc6 2.36-9+deb12u1 ii libip4tc2 1.8.9-2 ii libip6tc2 1.8.9-2 ii libmnl0 1.0.4-3 ii libnetfilter-conntrack3 1.0.9-3 ii libnfnetlink0 1.0.2-2 ii libnftnl11 1.2.4-2 ii libxtables12 1.8.9-2 ii netbase 6.4 Versions of packages iptables recommends: ii nftables 1.0.6-2+deb12u1 Versions of packages iptables suggests: pn firewalld <none> pn kmod <none> -- no debconf information
