| Summary: | netfilter iptables quota not working right | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ian Donaldson <iand> |
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | gansalmon, itamar, jforbes, jonathan, kernel-maint, madhu.chinakonda |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-14 01:27:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Is this still present with the 2.6.43/3.3 kernel update? Yes, its still present on 3.3.4-3.fc16.x86_64
eg:
pkts bytes target prot opt in out source destination
5724 4775985 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 4618240 bytes
# Mass update to all open bugs. Kernel 3.6.2-1.fc16 has just been pushed to updates. This update is a significant rebase from the previous version. Please retest with this kernel, and let us know if your problem has been fixed. In the event that you have upgraded to a newer release and the bug you reported is still present, please change the version field to the newest release you have encountered the issue with. Before doing so, please ensure you are testing the latest kernel update in that release and attach any new and relevant information you may have gathered. If you are not the original bug reporter and you still experience this bug, please file a new report, as it is possible that you may be seeing a different problem. (Please don't clone this bug, a fresh bug referencing this bug in the comment is sufficient). With no response, we are closing this bug under the assumption that it is no longer an issue. If you still experience this bug, please feel free to reopen the bug report. Sorry for the delay; I've only just gotten around to upgrading
to test this.
With 3.6.11-1.fc16.x86_64 the problem is still present.
eg:
pkts bytes target prot opt in out source destination
3608 704826 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 675840 bytes
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: iptables/netfilter 'quota' match doesn't seem to always work Version-Release number of selected component (if applicable): kernel-2.6.42.3-2.fc15.x86_64 iptables-1.4.10-2.fc15.x86_64 How reproducible: seems to work some of the time; hard to nail down below is output of iptables -L -vnx for a chain that is fed traffic of interest from the FORWARD ruleset. ... pkts bytes target prot opt in out source destination 17962 7966015 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 2068480 bytes 965 355972 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 and another output a bit later... pkts bytes target prot opt in out source destination 20946 9022658 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 2068480 bytes 965 355972 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 as you can see the byte count far exceeds the quota assigned; only some of the data is being blocked and reaching the DROP rule. Steps to Reproduce: 1. IP=1.2.3.4 BYTE_LIMIT=1000000 iptables --new-chain limitedflow_${IP} iptables --append limitedflow_${IP} --match quota --quota ${BYTE_LIMIT} --jump ACCEPT iptables --append limitedflow_${IP} --jump DROP iptables --insert FORWARD --source ${IP} --jump limitedflow_${IP} iptables --insert FORWARD --destination ${IP} --jump limitedflow_${IP} 2. send a bunch of traffic thru the server from or to IP 3. observe byte counts exceeding quota Actual results: byte count on the quota rule exceeds quota Expected results: byte count on the quota rule should not exceed the quota; subsequent data should appear on the DROP rule Additional info: inspection of the kernel code for netfilter shows that the counter decremented in xt_quota is separate from the counter displayable using iptables, so I suspect the code decrementing this counter isn't using the same concept of packet size that the counter displayable is using... (still hunting for that code...)