Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1512550 - iptables-save saves OUTPUT chain counters without "-c"
Summary: iptables-save saves OUTPUT chain counters without "-c"
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iptables
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Phil Sutter
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-13 13:40 UTC by Eduardo Minguez
Modified: 2017-11-14 10:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-14 10:38:31 UTC


Attachments (Terms of Use)

Description Eduardo Minguez 2017-11-13 13:40:21 UTC
Description of problem:
According to the man, iptables-save won't save the counters if you don't use "-c" flag, but the OUTPUT flag includes the counters.

Version-Release number of selected component (if applicable):
iptables v1.4.21

How reproducible:
Run iptables-save and observe the output for the OUTPUT chain

Steps to Reproduce:
1. iptables-save | grep OUTPUT

Actual results:
:OUTPUT ACCEPT [193:20463]


Expected results:
:OUTPUT ACCEPT [0:0]


Additional info:
Any other chain is ok.

Comment 2 Phil Sutter 2017-11-13 14:00:53 UTC
Hi Eduardo,

The counters you're seeing are builtin-chains' policy counters, i.e. packets/bytes which were handled by each chain's policy. To me it seems you can't turn them off (and they are present even if '-c' flag is missing). The reason you see values only for OUTPUT is probably because all other chains have catch-all rules established so no packet hits their policy.

To verify the above, please look at 'iptables -vnL' output and check whether any builtin chain other than OUTPUT has non-zero counter values, I expect not.

If you pass '-c' flag to iptables-save, it will store each rule's counters (you can see them prepended to each rule in brackets).

Is there a problem with this behaviour? Do you have a use-case which justifies changing it?

Cheers, Phil

Comment 3 Eduardo Minguez 2017-11-13 14:15:54 UTC
(In reply to Phil Sutter from comment #2)
> Hi Eduardo,
> 
> The counters you're seeing are builtin-chains' policy counters, i.e.
> packets/bytes which were handled by each chain's policy. To me it seems you
> can't turn them off (and they are present even if '-c' flag is missing). The
> reason you see values only for OUTPUT is probably because all other chains
> have catch-all rules established so no packet hits their policy.
> 
> To verify the above, please look at 'iptables -vnL' output and check whether
> any builtin chain other than OUTPUT has non-zero counter values, I expect
> not.
> 
> If you pass '-c' flag to iptables-save, it will store each rule's counters
> (you can see them prepended to each rule in brackets).
> 
> Is there a problem with this behaviour? Do you have a use-case which
> justifies changing it?
> 
> Cheers, Phil

Hi Phil,

Thank you for your quick answer. You are right about the catch all rules.

I was just curious about the meaning of those numbers and I found this "issue". I won't see any particular use-case to justify this, I just thought it was a minor bug where it should save the rules with [0:0] without the "-c" flag.

Comment 4 Phil Sutter 2017-11-14 10:38:31 UTC
Hi Eduardo,

(In reply to Eduardo Minguez from comment #3)
> Thank you for your quick answer. You are right about the catch all rules.
> 
> I was just curious about the meaning of those numbers and I found this
> "issue". I won't see any particular use-case to justify this, I just thought
> it was a minor bug where it should save the rules with [0:0] without the
> "-c" flag.

OK, I'll close this ticket then. We're planning to put iptables into maintenance mode for its successor nftables, so unless there is an actual need I'm reluctant to spend efforts on improvements (or minor nits like this one).

Of course, feel free to reopen in case you disagree. :)

Cheers, Phil

Comment 5 Eduardo Minguez 2017-11-14 10:44:52 UTC
(In reply to Phil Sutter from comment #4)
> Hi Eduardo,
> 
> (In reply to Eduardo Minguez from comment #3)
> > Thank you for your quick answer. You are right about the catch all rules.
> > 
> > I was just curious about the meaning of those numbers and I found this
> > "issue". I won't see any particular use-case to justify this, I just thought
> > it was a minor bug where it should save the rules with [0:0] without the
> > "-c" flag.
> 
> OK, I'll close this ticket then. We're planning to put iptables into
> maintenance mode for its successor nftables, so unless there is an actual
> need I'm reluctant to spend efforts on improvements (or minor nits like this
> one).
> 
> Of course, feel free to reopen in case you disagree. :)
> 
> Cheers, Phil

No worries and thanks for your clarifications.


Note You need to log in before you can comment on or make changes to this bug.