From what I can tell the -C
option ip6tables-legacy has broken between v1.8.7 and v1.8.9.
Using docker to use different builds and versions of ip6tables-legacy. Container
is run against the host network and privileged. For each I show the version,
use ip6tables-legacy-save to show that a specific rule exists and use the -C
to check the rule that does exist, and for a rule that doesn't exist.
docker run --rm -it --privileged --net host debian:bookworm-slim /bin/sh
# # iptables installed (apt-get update && apt-get -y install iptables) ...
# ip6tables-legacy --version
ip6tables v1.8.9 (legacy)
# ip6tables-legacy-save | grep DNAT
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443
# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 ; echo $?
0
# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:80 ; echo $?
0
docker run --rm -it --privileged --net host debian:bullseye-slim /bin/sh
# # iptables installed (apt-get update && apt-get -y install iptables) ...
# ip6tables-legacy --version
ip6tables v1.8.7 (legacy)
# ip6tables-legacy-save | grep DNAT
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443
# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 ; echo $?
0
# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:80 ; echo $?
ip6tables: No chain/target/match by that name.
1
docker run --rm -it --privileged --net host archlinux:base /bin/sh
sh-5.1# ip6tables-legacy --version
ip6tables v1.8.9 (legacy)
sh-5.1# ip6tables-legacy-save | grep DNAT
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443
sh-5.1# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 ; echo $?
0
sh-5.1# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:80 ; echo $?
0
docker run --rm -it --privileged --net host archlinux:base-20211226.0.42348 /bin/sh
sh-5.1# ip6tables-legacy --version
ip6tables v1.8.7 (legacy)
sh-5.1# ip6tables-legacy-save | grep DNAT
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443
sh-5.1# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:443 ; echo $?
0
sh-5.1# ip6tables-legacy -t nat -C DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd6c:d0ed:2749:2114::1:2]:80 ; echo $?
ip6tables: No chain/target/match by that name.
1
Apparently this bug has already been discovered upstream, and fixed in the master branch, but hasn't made it to a release.
https://git.netfilter.org/iptables/commit/?id=78850e7dba64a949c440dbdbe557f59409c6db48