This bug was fixed in the package iptables - 1.8.7-1ubuntu4
---------------
iptables (1.8.7-1ubuntu4) jammy; urgency=medium
[ Andrea Righi ]
* Fix counters with iptables-nft and add a test case (LP: #1949603)
- d/p/9005-iptables-nft-fix-Z-option.patch
* Enable iptables selftest in autopkgtest
[ Dimitri John Ledkov ]
* Chmod patched test case in autopkgtest as well.
* Add nftables:native depends in the autopkgtest and switch to
isolation-machine.
* Upload to jammy.
-- Andrea Righi <andrea.ri...@canonical.com> Wed, 03 Nov 2021 15:50:49
+0000
** Changed in: iptables (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1949603
Title:
iptables-save -c shows incorrect counters with iptables-nft
Status in iptables package in Ubuntu:
Fix Released
Status in iptables source package in Impish:
Confirmed
Status in iptables source package in Jammy:
Fix Released
Bug description:
[Impact]
Starting with Impish I noticed that the kernel selftest xfrm_policy.sh
is always failing. Initially I thought it was a kernel issue, but
debugging further I found that the reason is that with Impish we're
using iptables-nft by default instead of iptables-legacy.
This test (./tools/testing/selftests/net/xfrm_policy.sh in the kernel
source directory) is creating a bunch of network namespaces and
checking the iptables counters for the defined policies, in particular
this is the interesting part:
check_ipt_policy_count()
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
ip netns exec $ns iptables -Z
if [ x"$c" = x'[0:0]' ]; then
exit 0
elif [ x"$c" = x ]; then
echo "ERROR: No counters"
ret=1
exit 111
else
exit 1
fi
)
}
If I use iptables-nft the counters are never [0:0] as they should be,
so the test is failing. With iptables-legacy they are [0:0] and the
test is passing.
[Test case]
tools/testing/selftests/net/xfrm_policy.sh from the Linux kernel
source code.
[Fix]
Apply iptables upstream commit:
5f1fcace ("iptables-nft: fix -Z option")
In this way also with iptables-nft the counters are reported
correctly.
[Regression potential]
We may require other upstream commits now that the -Z option is
working properly with iptables-nft.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1949603/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
