Why does iptables rule deletion fail for rules with ipset match " --match-set"?

Solution Verified - Updated -

Issue

  • Deletion of iptables rule that uses ipset fails as follows when the rule is specified :
[root@test ~]# iptables -t mangle -S test-mangle
-N test-mangle
-A test-mangle -m set --match-set foo dst -j ACCEPT 
[root@test ~]# iptables -t mangle -D test-mangle -m set --match-set foo dst -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
[root@test ~]#
  • However, the deletion works when the rule specification is replaced with the rule number:
[root@test ~]# iptables -t mangle -L test-mangle --line-numbers
Chain test-mangle (0 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            match-set foo dst
[root@test ~]# iptables -t mangle -D test-mangle 1
[root@test ~]# iptables -t mangle -L test-mangle --line-numbers
Chain test-mangle (0 references)
num  target     prot opt source               destination
[root@test ~]#

Environment

  • Red Hat Enterprise Linux 6
  • iptables

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content