iptables resets counter when rules are added

fmillion · 05-19-2011, 08:19 AM

Hello,

Whenever I add a rule to iptables, all of the policy counters reset. The counters for each individual rule remain intact, however, the main counter resets.

Here's what I mean:

Code:

[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 65M packets, 83G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 50M packets, 30G bytes)
 pkts bytes target     prot opt in     out     source               destination

[root] ~ # iptables -A INPUT -s 192.168.1.2 -j DROP
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     192.168.1.2          anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

As you can see, when I added the rule, the counters under "policy" reset to 0. If I were to add another rule, the counters for the 192.168.1.2 rule would remain intact, but the counters for the policy would again be reset.

Code:

[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 12M packets, 14G bytes)
 pkts bytes target     prot opt in     out     source               destination
   44  9210 DROP       all  --  any    any     192.168.1.2          anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8756K packets, 10G bytes)
 pkts bytes target     prot opt in     out     source               destination

[root] ~ # iptables -A INPUT -s 192.168.1.3 -j DROP
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   44  9210 DROP       all  --  any    any     192.168.1.2          anywhere
    0     0 DROP       all  --  any    any     192.168.1.3          anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Is this expected behavior? Can it be fixed?

Code:

[root] ~ # iptables -V
iptables v1.4.10
[root] ~ # uname -a
Linux nas 2.6.36 #2 SMP Wed Nov 24 02:36:43 CET 2010 i686 i686 i386 GNU/Linux

Thank you!

-FM

andrewthomas · 05-19-2011, 11:14 AM

I use counters and have never had this problem.

What you could try is to use insert instead of add.

Code:

iptables -I INPUT 1 -s 192.168.1.2 -j DROP

fmillion · 05-19-2011, 11:51 AM

It appears to occur on insert as well. Anytime the rule chain is modified, in short, it seems to occur.

It's worth noting that adding rules to user-created chains doesn't affect the main chains. I could of course deal with this by using a kluge:

iptables -N INPUT2
iptables -A INPUT -j INPUT2

and working on INPUT2. But that's obviously a silly workaround...

It may be worth noting that this is an LFS system, and I compiled all components from scratch. I was going to check the Netfilter pages to see if this is referenced anywhere, but I believe I did that once before and came up empty-handed...

Further advice, anyone?