Duplicate iptables rules

[Jack Yaz]

I've noticed that when restarting VPN clients, there's often duplicate rules in the main table for iptables, e.g.

-A iptfromlan -o eth0 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun11 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun12 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun11 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun12 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun11 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN

I've noticed that

-m account--aaddr

isn't actually valid, there should be a space between account and --aaddr, so I'm not sure why iptables reports it this way. (bug?)

That aside, I've created a little script to run via cru that removes duplicates, and wanted to share for comments/suggestions for improvement!

#!/bin/sh

iptables-save | awk '/^COMMIT/ || !x[$0]++' > /tmp/iptables.bak
sed -i 's/account--aaddr/account --aaddr/g' /tmp/iptables.bak
iptables -F
iptables-restore < /tmp/iptables.bak

if [ -f /tmp/iptables.bak] ; then
    rm -f /tmp/iptables.bak
fi

 

[ColinTaylor]

I think you've spotted a bug there. It didn't use to do that (back in 2016!).

I think the iptables command is being applied correctly but it doesn't display properly. Which means it can't be deleted, hence the every growing number of entries when the interface is restarted.

The same sort of problem effected the iptables webmon module in the past, but @john9527 managed to fix that.

I'm not sure how much attention @RMerlin gives to the account module nowadays as it isn't compatible with the new branch. But the bug is present in John's current fork as well.

 

[RMerlin]

It's a known issue. That kernel module is poorly written, and one of its unfixed flaws is that the function to remove existing rules doesn't work. That's why duplicate rules will appear when the service is restarted. This does not affect functionality.

Just getting it to work on 2.6.36 took me a couple of days of work at the time - looks like its author never actually tested his code under 2.6.36 despite having added support for it... The code is very hackish, poking at private kernel structures (which is no longer permitted under 3.x, which is why that module doesn't work at all on the HND platform).

When I tried to contact the author back then I never got any answer, so consider this module abandoned, unless someone knowledgeable with Netfilter and the Linux kernel can take over its development - that's not me.