[Bug 502] New: iptables -Z does not clear the policy counters

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Sat Aug 19 08:27:11 CEST 2006 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=502

           Summary: iptables -Z does not clear the policy counters
           Product: iptables
           Version: 1.3.5
          Platform: i386
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: iptables
        AssignedTo: laforge at netfilter.org
        ReportedBy: andy at andynet.net


This may be the same as bug #352, which was closed but not resolved.

iptables -Z clears the per-rule counters, but not the chain policy counters:

$ sudo iptables --version
iptables v1.3.3

$ sudo iptables -L INPUT -nv
Chain INPUT (policy ACCEPT 1464K packets, 421M bytes)
 pkts bytes target     prot opt in     out     source               destination
        
 294K   38M ACCEPT     all  --  *      *       10.242.42.11         0.0.0.0/0  
        

$ sudo iptables -Z INPUT
$ sudo iptables -L INPUT -nv
Chain INPUT (policy ACCEPT 1465K packets, 421M bytes)
 pkts bytes target     prot opt in     out     source               destination
        
   33  3424 ACCEPT     all  --  *      *       10.242.42.11         0.0.0.0/0

iptables 1.3.5 works the same.

This is a regression from earlier versions, not sure when it changed, but I have
a Fedora Core2 system with 1.2.11 which clears the policy counters as well:

# iptables --version
iptables v1.2.11

# iptables -L -nv
Chain INPUT (policy ACCEPT 2037 packets, 291K bytes)
 pkts bytes target     prot opt in     out     source               destination
        
    4   336 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        

# iptables -Z
# iptables -L -nv
Chain INPUT (policy ACCEPT 24 packets, 2020 bytes)
 pkts bytes target     prot opt in     out     source               destination
        
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

This patch against svn fixes it:

===================================================================
--- libiptc/libiptc.c   (revision 6660)
+++ libiptc/libiptc.c   (working copy)
@@ -1656,6 +1656,9 @@
                return 0;
        }
 
+       if (c->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
+               c->counter_map.maptype = COUNTER_MAP_ZEROED;
+
        list_for_each_entry(r, &c->rules, list) {
                if (r->counter_map.maptype == COUNTER_MAP_NORMAL_MAP)
                        r->counter_map.maptype = COUNTER_MAP_ZEROED;

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list