Hello, I'm having some troubles with a set of iptable rules. When setting the sequence with iptables everything is fine, but if I'm using iptables-restore, the wrong rules get removed at a certain point. This is the smallest subset of rules that i have been able to find that reproduce the problem. As you can see, when trying to remove the rules ending with 60007, the 60009 are removed. Is this a bug, or do I miss use iptables-restore? ------------------------- user@user-laptop:~$ sudo iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination test_POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination test_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain test_OUTPUT (1 references) target prot opt source destination Chain test_POSTROUTING (1 references) target prot opt source destination user@user-laptop:~$ sudo iptables-restore -n *nat -F COMMIT *mangle -F COMMIT *nat -X COMMIT *mangle -X COMMIT *nat -N test_POSTROUTING -I POSTROUTING -j test_POSTROUTING -N test_OUTPUT -I OUTPUT -j test_OUTPUT COMMIT *mangle -N test_POSTROUTING -I POSTROUTING -j test_POSTROUTING COMMIT *nat -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5 --dport 40001 -j SNAT --to 192.168.1.1:60007 -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5 --dport 50001 -j SNAT --to 10.76.50.70:60007 COMMIT *mangle -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40000 -d 192.168.1.5 --dport 50000 -j DSCP --set-dscp 46 COMMIT *nat -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5 --dport 40001 -j SNAT --to 192.168.1.1:60009 -I test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5 --dport 50001 -j SNAT --to 10.76.50.70:60009 COMMIT *nat -D test_POSTROUTING -p udp -s 192.168.1.5 --sport 50001 -d 192.168.1.5 --dport 40001 -j SNAT --to 192.168.1.1:60007 -D test_POSTROUTING -p udp -s 192.168.1.5 --sport 40001 -d 192.168.1.5 --dport 50001 -j SNAT --to 10.76.50.70:60007 COMMIT user@user-laptop:~$ sudo iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination test_POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination test_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain test_OUTPUT (1 references) target prot opt source destination Chain test_POSTROUTING (1 references) target prot opt source destination SNAT udp -- 192.168.1.5 192.168.1.5 udp spt:40001 dpt:50001 to:10.76.50.70:60007 SNAT udp -- 192.168.1.5 192.168.1.5 udp spt:50001 dpt:40001 to:192.168.1.1:60007 ---------------------------------- Best Regards Jacob Svensson -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
