iptables-save -c shows incorrect counters with iptables-nft
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Impish |
Won't Fix
|
Medium
|
Unassigned | ||
Jammy |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
Starting with Impish I noticed that the kernel selftest xfrm_policy.sh is always failing. Initially I thought it was a kernel issue, but debugging further I found that the reason is that with Impish we're using iptables-nft by default instead of iptables-legacy.
This test (./tools/
check_ipt_
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
ip netns exec $ns iptables -Z
if [ x"$c" = x'[0:0]' ]; then
fi
)
}
If I use iptables-nft the counters are never [0:0] as they should be, so the test is failing. With iptables-legacy they are [0:0] and the test is passing.
[Test case]
tools/testing/
[Fix]
Apply iptables upstream commit:
5f1fcace ("iptables-nft: fix -Z option")
In this way also with iptables-nft the counters are reported correctly.
[Regression potential]
We may require other upstream commits now that the -Z option is working properly with iptables-nft.
tags: | added: patch |
Changed in iptables (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in iptables (Ubuntu Jammy): | |
importance: | Undecided → Medium |
description: | updated |
Changed in iptables (Ubuntu Jammy): | |
status: | New → Fix Committed |
Changed in iptables (Ubuntu Impish): | |
status: | Confirmed → In Progress |
FYI, I've tested the latest iptables from https:/ /git.netfilter. org/iptables/ and the test passes also with iptables-nft.