[Bug 104] Bytes/packets counters sometimes give incorrect values

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Sat, 29 May 2004 23:45:28 +0200


------- Additional Comments From gandalf@netfilter.org  2004-05-29 23:45 -------
iptables calls getsockopt() twice, first with SO_GET_INFO which locks the table
in kernel and returns some info and then unlocks the table, among that info is
the size of the table.
Then iptables allocates memory and calls getsockopt() again but with
SO_GET_ENTRIES to get the table, and it passes in the size it got from the first
getsockopt() call. SO_GET_ENTRIES also locks the table, then it calls
get_entries() which compares the passed in size with the ac tual current size of
the table and returns -EINVAL if they don't match.

I checked and that's what happens. A simple loop that adds/removes rules at the
same time as one try to list the rules reproduces it easily.
SO_GET_INFO unlocks the table after it's done and then a rule is either added or
deleted and then we call SO_GET_ENTRIES which checks the size we passed in and
it differs... abort.

I wonder if we can detect that somehow and retry the entire thing automatically
a few times. getsockopt() doesn't return an error...

Output from net/ipv4/netfilter/iptables.c during the add/remove loop:

get_entries: I've got 2328 not 2176!
get_entries: I've got 2328 not 2176!
get_entries: I've got 2176 not 2328!

There might be more problems than these, more testing needed.

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.