Alpine 3.19 container image delete iptables rule error (iptables: Bad rule (does a matching rule exist in that chain?).)
Alpine 3.19 container image reports an error when deleting iptables rules, but deleting it on the host is normal.
The process to reproduce the problem is as follows:
- Start the Alpine 3.19 container image and install components.
docker run -itd --name=alpine-319 --network=host --privileged=true alpine:3.19
docker exec -it alpine-319 sh
/ # apk add --no-cache iptables iptables-legacy ip6tables tzdata wireguard-tools=1.0.20210914-r3 wireguard-tools-doc=1.0.20210914-r3
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/24) Installing libmnl (1.0.5-r2)
(2/24) Installing libnftnl (1.2.6-r0)
(3/24) Installing libxtables (1.8.10-r3)
(4/24) Installing iptables (1.8.10-r3)
(5/24) Installing libip4tc (1.8.10-r3)
(6/24) Installing libip6tc (1.8.10-r3)
(7/24) Installing iptables-legacy (1.8.10-r3)
(8/24) Installing tzdata (2023d-r0)
(9/24) Installing wireguard-tools-wg (1.0.20210914-r3)
(10/24) Installing libcap2 (2.69-r1)
(11/24) Installing zstd-libs (1.5.5-r8)
(12/24) Installing libelf (0.190-r1)
(13/24) Installing iproute2-minimal (6.6.0-r0)
(14/24) Installing iproute2-tc (6.6.0-r0)
(15/24) Installing iproute2-ss (6.6.0-r0)
(16/24) Installing iproute2 (6.6.0-r0)
Executing iproute2-6.6.0-r0.post-install
(17/24) Installing ncurses-terminfo-base (6.4_p20231125-r0)
(18/24) Installing libncursesw (6.4_p20231125-r0)
(19/24) Installing readline (8.2.1-r2)
(20/24) Installing bash (5.2.21-r0)
Executing bash-5.2.21-r0.post-install
(21/24) Installing openresolv (3.13.2-r0)
(22/24) Installing wireguard-tools-wg-quick (1.0.20210914-r3)
(23/24) Installing wireguard-tools (1.0.20210914-r3)
(24/24) Installing wireguard-tools-doc (1.0.20210914-r3)
Executing busybox-1.36.1-r15.trigger
OK: 18 MiB in 39 packages
/ # iptables -V
iptables v1.8.10 (nf_tables)
- Create iptables rules in the container.
/ # iptables -A FORWARD -i wg-vps -j ACCEPT; iptables -A FORWARD -o wg-vps -j ACCEPT
/ # iptables -t mangle -A POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu
/ # iptables-save | grep wg
-A POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wg-vps -j ACCEPT
-A FORWARD -o wg-vps -j ACCEPT
/ # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1433K 443M GFW_DEFENSE 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 193 udp2rawDwrW_6c17f961_C0 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1800
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- wg-vps * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * wg-vps 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain GFW_DEFENSE (1 references)
pkts bytes target prot opt in out source destination
1406K 440M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9462 1062K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src
387 20129 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src
17849 2741K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp2rawDwrW_6c17f961_C0 (1 references)
pkts bytes target prot opt in out source destination
3 193 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
- Delete the iptables rule in the container. When deleting
iptables -D FORWARD -o wg-vps -j ACCEPT
, an error is reporteddoes a matching rule exist in that chain?
.
/ # iptables -D FORWARD -i wg-vps -j ACCEPT
/ # iptables -D FORWARD -o wg-vps -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
/ # iptables -t mangle -D POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu
/ # iptables-save | grep wg
-A FORWARD -o wg-vps -j ACCEPT
/ # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1436K 444M GFW_DEFENSE 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 193 udp2rawDwrW_6c17f961_C0 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1800
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * wg-vps 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain GFW_DEFENSE (1 references)
pkts bytes target prot opt in out source destination
1408K 440M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9483 1064K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src
388 20189 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src
17929 2752K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp2rawDwrW_6c17f961_C0 (1 references)
pkts bytes target prot opt in out source destination
3 193 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
- The host environment information is as follows.
root@LAXB ~ # cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@LAXB ~ # uname -mrs
Linux 6.0.0-0.deb11.6-amd64 x86_64
root@LAXB ~ # docker info
Client:
Context: default
Debug Mode: false
Plugins:
compose: Docker Compose (Docker Inc.)
Version: v2.16.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 6
Running: 6
Paused: 0
Stopped: 0
Images: 7
Server Version: 23.0.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 2456e983eb9e37e47538f59ea18f2043c9a73640
runc version: v1.1.4-0-g5fd4c4d
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.0.0-0.deb11.6-amd64
Operating System: Debian GNU/Linux 11 (bullseye)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 471.9MiB
Name: LAXB
ID: 3f740c04-20c9-4621-9db2-8e33c2be088a
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
root@LAXB ~ # docker-compose version
Docker Compose version v2.16.0
- It is normal to delete the corresponding iptables rules on the host
root@LAXB ~ # iptables-save | grep wg
-A FORWARD -o wg-vps -j ACCEPT
root@LAXB ~ # iptables -D FORWARD -o wg-vps -j ACCEPT
root@LAXB ~ # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1451K 448M GFW_DEFENSE all -- * * 0.0.0.0/0 0.0.0.0/0
3 193 udp2rawDwrW_6c17f961_C0 tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain GFW_DEFENSE (1 references)
pkts bytes target prot opt in out source destination
1423K 444M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9536 1067K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src
393 20453 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src
18024 2766K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp2rawDwrW_6c17f961_C0 (1 references)
pkts bytes target prot opt in out source destination
3 193 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Alpine 3.19 container image information
root@LAXB ~ # docker image inspect alpine:3.19
[
{
"Id": "sha256:f8c20f8bbcb684055b4fea470fdd169c86e87786940b3262335b12ec3adef418",
"RepoTags": [
"alpine:3.19"
],
"RepoDigests": [
"alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48"
],
"Parent": "",
"Comment": "",
"Created": "2023-12-08T01:20:49.650406179Z",
"Container": "f2f93a8109b6034cb27137e7cb0a77417b4d7529cde89524d455964455c0d23a",
"ContainerConfig": {
"Hostname": "f2f93a8109b6",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh",
"-c",
"#(nop) ",
"CMD [\"/bin/sh\"]"
],
"Image": "sha256:c068232ea3eea78e6800063b9b599c95911729d5c8dd2a2b737684998eefb10a",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"DockerVersion": "20.10.23",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh"
],
"Image": "sha256:c068232ea3eea78e6800063b9b599c95911729d5c8dd2a2b737684998eefb10a",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
"Architecture": "amd64",
"Os": "linux",
"Size": 7377066,
"VirtualSize": 7377066,
"GraphDriver": {
"Data": {
"MergedDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/merged",
"UpperDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/diff",
"WorkDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:5af4f8f59b764c64c6def53f52ada809fe38d528441d08d01c206dfb3fc3b691"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]