apf restart not cleaning existing iptables rules causing number of rules to multiply.

[sunnydavis]

OS: Ubuntu 22.04

When restarting apf, the previously existing iptables rules are not cleaned and causing the rules to multiply.

root@db09-2:~# iptables -S | wc -l
17
root@db09-2:~# service apf start
root@db09-2:~# iptables -S | wc -l
1331
root@db09-2:~# service apf restart
root@db09-2:~# iptables -S | wc -l
2645
root@db09-2:~# service apf restart
root@db09-2:~# iptables -S | wc -l
3959
root@db09-2:~# service apf restart
root@db09-2:~# iptables -S | wc -l
5273

Since the apf is restarted each day (with cron), the rule accumulates and eventually cause system to not respond. I have several machines that has hundreds of thousands of rules, and iptables use up 100% CPU.

[jasonwee]

because apf did not get flush correctly as this file (/proc/net/ip_tables_names) is empty. read more here https://lists.debian.org/debian-user/2019/10/msg01046.html

you need to manually invoke iptables-legacy -L -n -t filter in order for /pro/net/ip_tables_names to be populated, then when you restart apf, it will flush the rules and chains as listed in /proc/net/ip_tables_names.

if you don't want to do it manually, u can create a wrapper script to flush iptables rules iptables -F before restart apf.

newer linux distro started to switch from iptables to nftables, i have make apf to support nftables, you can check it here https://github.com/jasonwee/advanced-policy-firewall BUT do NOTE that this is not tested, please feel free to use it and check if it really work.