iptc.errors.XTablesError: b'recent'.x6_fcheck has failed

I tried adding a rule with iptc.easy.add_rule(table, chain, rule_d) which has got a 'recent' match, but end up either with the error iptc.errors.XTablesError: b'recent'.x6_fcheck has failed if the name attribute is given as first argument or with an iptables rule with name DEFAULT instead of the one i've given it.

the rule as dictionary which produces the rule below:
>>> rule_d = {'protocol': 'udp', 'recent': {'mask': '255.255.255.255', 'update': '', 'seconds': '60', 'rsource': '', 'name': 'UDP-PORTSCAN'}, 'target': {'REJECT':{'reject-with': 'icmp-port-unreachable'}}}

and the result.
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: DEFAULT side: source mask: 255.255.255.255 reject-with icmp-port-unreachable

the rule as dictionary which produces the error iptc.errors.XTablesError: b'recent'.x6_fcheck has failed

>>> rule_d = {'protocol': 'udp', 'recent': {'name': 'UDP-PORTSCAN', 'mask': '255.255.255.255', 'update': '', 'seconds': '60', 'rsource': ''}, 'target': {'REJECT':{'reject-with': 'icmp-port-unreachable'}}}

I digged into the easy module and found that there's an AttributeError when calling _iptc_setattr_d(). That's because the Match object already got an instance attribute name = 'recent' and dynamically adding the attributename = 'UDP-PORTSCAN' in _iptc_setattr() with setattr(Match, 'name', 'UDP-PORTSCAN') fails. If that happens at the end of the parsing of rule_d every other attribute is set. So there's no error in the final check but the name couldn't be set and defaults name: DEFAULT.

[jllorente]

Hi @MaelStor , can you specify the full iptables command for your rule?
Did you try to get the dictionary representation of your rule via iptc.easy.dump_chain() ?

Hi @jllorente . I'm loading my rules from a yaml file and apply them in a python script. But to reproduce the error within the python console as root:

When name is the last key in the 'recent' dictionary and the FILTER INPUT chain is empty:

>>> import iptc
>>> rule_d = {'protocol': 'udp', 'recent': {'mask': '255.255.255.255', 'update': '', 'seconds': '60', 'rsource': '', 'name': 'UDP-PORTSCAN'}, 'target': {'REJECT':{'reject-with': 'icmp-port-unreachable'}}}
>>> iptc.easy.add_rule('filter', 'INPUT', rule_d)
>>> iptc.easy.get_rule('filter', INPUT', 1)
{'protocol': 'udp', 'recent': {'update': '', 'seconds': '60', 'name': 'DEFAULT', 'mask': '255.255.255.255', 'rsource': ''}, 'target': {'REJECT': {'reject-with': 'icmp-port-unreachable'}}}

When name is the first key in the 'recent' dictionary:

>>> import iptc
>>> rule_d = {'protocol': 'udp', 'recent': {'name': 'UDP-PORTSCAN', 'mask': '255.255.255.255', 'update': '', 'seconds': '60', 'rsource': ''}, 'target': {'REJECT':{'reject-with': 'icmp-port-unreachable'}}}
>>> iptc.easy.add_rule('filter', 'INPUT', rule_d)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/easy.py", line 74, in add_rule
    iptc_chain.append_rule(iptc_rule)
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/ip4tc.py", line 1459, in append_rule
    rule.final_check()
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/ip4tc.py", line 983, in final_check
    match.final_check()
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/ip4tc.py", line 340, in final_check
    self._final_check()  # subclasses override this
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/ip4tc.py", line 593, in _final_check
    self._xt.final_check_match(self._module)
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/xtables.py", line 869, in new
    return fn(*args)
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/xtables.py", line 1266, in final_check_match
    self._fcheck_match_new(match)
  File "/home/maelstor/.local/lib/python3.7/site-packages/iptc/xtables.py", line 1248, in _fcheck_match_new
    raise XTablesError("%s.x6_fcheck has failed" % (match.name))
iptc.errors.XTablesError: b'recent'.x6_fcheck has failed

[jllorente]

I need to look more carefully into it, but at at a first glance, modifying this function seems to work

def _iptc_setattr_d(object, value_d):
    for name, value in value_d.items():
        #_iptc_setattr(object, name, value)
        object.set_parameter(name, value)

Works perfect. Thanks :)

[jllorente]

Hi @MaelStor , I have addressed this issue in PR #283 , please have a look :)
I think the new code is much nicer, it makes use of set_parameter() for matches and targets and also obsoletes some private functions.

Hi @jllorente . I've checked out the PR, ran my ruleset with it and everythings in place. As far as I'm concerned I'm happy with it 👍