--zero/-Z does not zero built-in chains

Christian Bricart christian at bricart.de
Thu Aug 25 15:30:16 CEST 2005


I've run into the same that has (only) been postet once (
http://lists.netfilter.org/pipermail/netfilter/2005-July/061667.html ) on
this list.
Somewhere between 1.3.1 and 1.3.2 release something has been changed that
has to do with zeroring chains.

It used to be the case that an

 # iptables -L INPUT -nxZ

set counters on the INPUT chain to 0 right after output (conforms to any
document about --zero/-Z i.e. man page, etc.)

With 1.3.2 (not yet tested on 1.3.3) the counters stay intact.
Alas, this only happens to the built-in chains (INPUT,OUTPUT, FORWARD) -
not to user-defined chains like:

# iptables -N acc_in
# iptables -A acc_in -j RETURN
# iptables -I INPUT -j acc_in
[..let some data flow..]
# iptables -L acc_in -nxZ
[..shows current counters of "acc_in" chain and zeroes it's counters..]


More information about the netfilter mailing list