[pkg-netfilter-team] Bug#947689: iptables: fails to zeroed package counters
viel
viel.losero at gmail.com
Sun Dec 29 11:10:23 GMT 2019
Package: iptables
Version: 1.8.3-2
Severity: normal
Dear Maintainer,
When i try to zeroed iptables counters it fails with:
root at kali:~# iptables -t filter -Z OUTPUT
iptables v1.8.3 (nf_tables): RULE_REPLACE failed (Invalid argument): rule in chain OUTPUT
root at kali:~#
root at kali:~# iptables -t filter -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
402 126K LOG-ACCEPT-OUTPUT all -- * eth0 0.0.0.0/0 0.0.0.0/0 owner UID match 127
39 3587 LOG-ACCEPT-OUTPUT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:853
771 434K LOG-ACCEPT-OUTPUT all -- * lo 0.0.0.0/0 127.0.0.1
0 0 LOG-ACCEPT-OUTPUT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68
0 0 LOG-ACCEPT-OUTPUT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG-DROP-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Aditional debug i tried:
when i add rules like
root at kali:~# iptables -I OUTPUT 1 -o eth0 -m owner --uid-owner "debian-tor" -j LOG-ACCEPT-OUTPUT
root at kali:~# iptables -I OUTPUT 2 -o eth0 -p tcp -m tcp --dport 80 -j LOG-ACCEPT-OUTPUT
and the 2ond rule has some counters, it fails to zeroed.
root at kali:~# curl www.google.es
^C
root at kali:~# iptables -t filter -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 1228 LOG-ACCEPT-OUTPUT all -- * eth0 0.0.0.0/0 0.0.0.0/0 owner UID match 127
2 120 LOG-ACCEPT-OUTPUT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 532 LOG-ACCEPT-OUTPUT all -- * lo 0.0.0.0/0 127.0.0.1
0 0 LOG-ACCEPT-OUTPUT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68
0 0 LOG-ACCEPT-OUTPUT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG-DROP-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
root at kali:~# iptables -t filter -Z OUTPUT
iptables v1.8.3 (nf_tables): RULE_REPLACE failed (Invalid argument): rule in chain OUTPUT
root at kali:~#
if i delete the rule below the zeroed works again.
root at kali:~# iptables -D OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j LOG-ACCEPT-OUTPUT
root at kali:~# iptables -t filter -Z OUTPUT
root at kali:~#
root at kali:~# uname -a Linux kali 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux
root at kali:~# dpkg -l | grep netfilter
ii libip4tc2:amd64 1.8.3-2 amd64 netfilter libip4tc library
ii libip6tc2:amd64 1.8.3-2 amd64 netfilter libip6tc library
ii libiptc0:amd64 1.8.3-2 amd64 netfilter libiptc library
ii libnetfilter-conntrack3:amd64 1.0.7-2 amd64 Netfilter netlink-conntrack library
ii libnetfilter-queue1 1.0.3-1 amd64 Netfilter netlink-queue library
ii libxtables12:amd64 1.8.3-2 amd64 netfilter xtables library
root at kali:~# dpkg -l | grep nftables
ii libnftnl11:amd64 1.1.3-2 amd64 Netfilter nftables userspace API library
root at kali:~# dpkg -l | grep iptables
ii iptables 1.8.3-2 amd64 administration tools for packet filtering and NAT
-- System Information:
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2019.3
Codename: kali-rolling
Architecture: x86_64
Kernel: Linux 5.2.0-kali2-amd64 (SMP w/12 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages iptables depends on:
ii libc6 2.29-2
ii libip4tc2 1.8.3-2
ii libip6tc2 1.8.3-2
ii libiptc0 1.8.3-2
ii libmnl0 1.0.4-2+b1
ii libnetfilter-conntrack3 1.0.7-2
ii libnfnetlink0 1.0.1-3+b1
ii libnftnl11 1.1.3-2
ii libxtables12 1.8.3-2
Versions of packages iptables recommends:
pn nftables <none>
Versions of packages iptables suggests:
ii kmod 26-1
-- no debconf information
More information about the pkg-netfilter-team
mailing list