Why does iptables rule deletion fail for rules with ipset match " --match-set"?

Solution Verified - Updated -

Issue

  • Deletion of iptables rule that uses ipset fails as follows when the rule is specified :
[root@test ~]# iptables -t mangle -S test-mangle
-N test-mangle
-A test-mangle -m set --match-set foo dst -j ACCEPT 
[root@test ~]# iptables -t mangle -D test-mangle -m set --match-set foo dst -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
[root@test ~]#
  • However, the deletion works when the rule specification is replaced with the rule number:
[root@test ~]# iptables -t mangle -L test-mangle --line-numbers
Chain test-mangle (0 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            match-set foo dst
[root@test ~]# iptables -t mangle -D test-mangle 1
[root@test ~]# iptables -t mangle -L test-mangle --line-numbers
Chain test-mangle (0 references)
num  target     prot opt source               destination
[root@test ~]#

Environment

  • Red Hat Enterprise Linux 6
  • iptables

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.