** Description changed:
+ [Impact]
+
Starting with Impish I noticed that the kernel selftest xfrm_policy.sh
is always failing. Initially I thought it was a kernel issue, but
debugging further I found that the reason is that with Impish we're
using iptables-nft by default instead of iptables-legacy.
This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel
source directory) is creating a bunch of network namespaces and checking
the iptables counters for the defined policies, in particular this is
the interesting part:
check_ipt_policy_count()
{
- ns=$1
+ ns=$1
- ip netns exec $ns iptables-save -c |grep policy | ( read c rest
- ip netns exec $ns iptables -Z
- if [ x"$c" = x'[0:0]' ]; then
- exit 0
- elif [ x"$c" = x ]; then
- echo "ERROR: No counters"
- ret=1
- exit 111
- else
- exit 1
- fi
- )
+ ip netns exec $ns iptables-save -c |grep policy | ( read c rest
+ ip netns exec $ns iptables -Z
+ if [ x"$c" = x'[0:0]' ]; then
+ exit 0
+ elif [ x"$c" = x ]; then
+ echo "ERROR: No counters"
+ ret=1
+ exit 111
+ else
+ exit 1
+ fi
+ )
}
If I use iptables-nft the counters are never [0:0] as they should be, so
the test is failing. With iptables-legacy they are [0:0] and the test is
passing.
- Any idea why this is happening and how I can debug this in iptables?
+ [Test case]
- Thanks in advance.
+ tools/testing/selftests/net/xfrm_policy.sh from the Linux kernel source
+ code.
+
+ [Fix]
+
+ Apply iptables upstream commit:
+
+ 5f1fcace ("iptables-nft: fix -Z option")
+
+ In this way also with iptables-nft the counters are reported correctly.
+
+ [Regression potential]
+
+ We may require other upstream commits now that the -Z option is working
+ properly with iptables-nft.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1949603
Title:
iptables-save -c shows incorrect counters with iptables-nft
Status in iptables package in Ubuntu:
New
Status in iptables source package in Impish:
New
Status in iptables source package in Jammy:
New
Bug description:
[Impact]
Starting with Impish I noticed that the kernel selftest xfrm_policy.sh
is always failing. Initially I thought it was a kernel issue, but
debugging further I found that the reason is that with Impish we're
using iptables-nft by default instead of iptables-legacy.
This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel
source directory) is creating a bunch of network namespaces and
checking the iptables counters for the defined policies, in particular
this is the interesting part:
check_ipt_policy_count()
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
ip netns exec $ns iptables -Z
if [ x"$c" = x'[0:0]' ]; then
exit 0
elif [ x"$c" = x ]; then
echo "ERROR: No counters"
ret=1
exit 111
else
exit 1
fi
)
}
If I use iptables-nft the counters are never [0:0] as they should be,
so the test is failing. With iptables-legacy they are [0:0] and the
test is passing.
[Test case]
tools/testing/selftests/net/xfrm_policy.sh from the Linux kernel
source code.
[Fix]
Apply iptables upstream commit:
5f1fcace ("iptables-nft: fix -Z option")
In this way also with iptables-nft the counters are reported
correctly.
[Regression potential]
We may require other upstream commits now that the -Z option is
working properly with iptables-nft.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1949603/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
