bugzilla-daemon at netfilter.org
2013-May-22 00:53 UTC
[Bug 822] New: iptables shows negative or other bad packet/byte counts
https://bugzilla.netfilter.org/show_bug.cgi?id=822
Summary: iptables shows negative or other bad packet/byte
counts
Product: iptables
Version: unspecified
Platform: All
OS/Version: Fedora
Status: NEW
Severity: critical
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: argsvygre at zacglen.net
Estimated Hours: 0.0
Under heavy system load iptables 1.4.5 can show negative or otherwise bad
packet and byte counts when using "iptables -L -v".
Here is one such example:
>Chain acct (168 references)
> pkts bytes target prot opt in out source
destination
>18446744073709551579 18446744073709538670 ACCEPT all -- eth0+ *
0.0.0.0/0 0.0.0.0/0
>18446744073709551593 6156 ACCEPT all -- * eth0+ 0.0.0.0/0
0.0.0.0/0
The value 18446744073709551579 is 0xFFFFFFFFFFFFFFDB
On other occasions I have observed values such as 18446744073763221504
(0x1000000000332F000) with just the high bit (64) set.
This only appear to occur under heavy system load for some reason.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-May-23 11:45 UTC
[Bug 822] iptables shows negative or other bad packet/byte counts
https://bugzilla.netfilter.org/show_bug.cgi?id=822
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-05-23
13:45:15 CEST ---
That iptables version is almost 4 years old. Please, retest with current
(1.4.18). You don't mention your kernel version either.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-May-29 18:30 UTC
[Bug 822] iptables shows negative or other bad packet/byte counts
https://bugzilla.netfilter.org/show_bug.cgi?id=822
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter at linuxace.com
--- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-05-29
20:29:59 CEST ---
This is almost certainly a race condition, due to multiple iptables instances
running simultaneously. Likely a duplicate of bug 764, and an effect of bug
325 (no locking in iptables).
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Jun-11 16:02 UTC
[Bug 822] iptables shows negative or other bad packet/byte counts
https://bugzilla.netfilter.org/show_bug.cgi?id=822
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
--- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-06-11
18:02:04 CEST ---
This has been resolved via the addition of locking in ip[6]tables via commit
93587a04 ("ip[6]tables: Add locking to prevent concurrent instances").
This
should appear in 1.4.20. Closing.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Reasonably Related Threads
- [Bug 823] New: IPv6 NAT memory leaking
- [Bug 877] New: nftables - Set - define core dumps
- [Bug 886] New: iptables-xml segfaults on "-APOSTROUTING"
- [Bug 857] New: ConnLimit unable to work properly
- [Bug 864] New: Verbose output options rejected when modifying chains