Bug 87715 - iptables-save should not be called with "-c" switch
Summary: iptables-save should not be called with "-c" switch
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 9
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2003-04-01 17:58 UTC by Jordan Russell
Modified: 2007-04-18 16:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-07-03 09:35:37 UTC

Attachments (Terms of Use)

Description Jordan Russell 2003-04-01 17:58:36 UTC
Description of problem:
(This was also present in Red Hat Linux 8.0.)

When you run "service iptables save" it needlessly saves the current packet 
counts in /etc/sysconfig/iptables along with the rules. Because of this, every 
time you reboot and run "iptables -vL" it shows the counts from the last time 
you ran "service iptables save" instead of zeros. This is useless and 
unintuitive. Depending on when you last ran "service iptables save", you could 
be seeing figures that are many months old. Then when those old figures are 
incremented after the fresh boot, they become totally bogus.

This problem can be solved by simply removing the "-c" switch 
in /etc/init.d/iptables, i.e.

-        /sbin/iptables-save -c > $IPTABLES_CONFIG  2>/dev/null && \
+        /sbin/iptables-save > $IPTABLES_CONFIG  2>/dev/null && \

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
(see above)

Comment 1 Jordan Russell 2003-04-02 16:51:02 UTC
I've found that while removing the "-c" switch from iptables-save prevents the 
packet counts for the individual rules from being saved, it doesn't inhibit the 
saving of the packet counts for the built-in chains. The only way to get around 
that, it appears, is to remove the "-c" switch from the iptables-restore 
command (also in /etc/init.d/iptables) too.

Comment 2 Thomas Woerner 2003-07-03 09:35:37 UTC
Fixed in the new 1.2.8-4.x version. This version has a new startup script and an
additional config file.

> # Additional iptables modules (nat helper)
> # Default: -empty-
> #IPTABLES_MODULES="ip_nat_ftp"
> # Save current firewall rules on stop.
> # Value: yes|no,  default: no
> # Save current firewall rules on restart.
> # Value: yes|no,  default: no
> # Save rule counter.
> # Value: yes|no,  default: yes
> # Numeric status output
> # Value: yes|no,  default: no

RPM packages for 7.x:

RPM packages for 8.0:

RPM packages for 9:

Comment 3 Michael Schwendt 2003-07-03 12:00:55 UTC

Your changed scripts don't restore the saved counters anymore upon running
iptables-restore. Hence this option is useless. Btw, tell me one good reason why
anyone would want to save byte/packet counters into /etc/sysconfig/iptables?

> # Save rule counter.
> # Value: yes|no,  default: yes
Default is "no", but I think those two (SAVE_ON_STOP and SAVE_ON_RESTART) are
over-ambitious. In the world of scripting, it's so quick'n'easy to simply run
"service iptables save ; service iptables restart".

Whether removing modules manually in stop() is a good idea remains to be seen.
While I like the new $IPTABLES_MODULES feature for specifying a list of modules
to be modprobe'd, the stop() function interferes with stacking modules via
/etc/modules.conf. I say: Please don't remove kernel modules unless user tells
you to do so explicitly.

An option for making status() list tables verbosely would be nice.

Comment 4 Thomas Woerner 2003-07-03 15:46:22 UTC
IPTABLES_SAVE_COUNTER also affects iptables-restore, now (forgot '-c').

There are people, that want to save and restore the counters when the machine
gets rebooted or when the firewall gets restarted.

To unload the kernel modules is the only way to get the firewall to a real stop:
Think of the nat helper or the conntrack modules. As an example: I have to
unload the modules if the user decides to not use a helper anymore or if the
user wans to switch to ipchains.

Comment 5 Jordan Russell 2003-07-03 16:33:59 UTC
This looks great, but shouldn't IPTABLES_SAVE_COUNTER default to "no" since 
IPTABLES_SAVE_ON_{STOP,RESTART} default to "no"? I can't imagine why anyone 
would want to save packet counts when they aren't writing the rules at shutdown.

Comment 6 Michael Schwendt 2003-07-03 16:44:00 UTC
Okay, when documented well, there won't be unexpected problems.

In the following, "echo; return 1" looks badly misplaced. Actually, it prevents
the rest of the start function from being executed:

start() {
    echo -n $"Applying $IPTABLES firewall rules: "
    $IPTABLES-restore $IPTABLES_DATA && success || failure; echo; return 1

Also, with IPTABLES_MODULES="ip_nat_irc", "service iptables start ; service
iptables stop" fails to remove "ip_conntrack_irc" and "ip_conntrack" here with

Comment 8 Michael Schwendt 2003-07-04 12:25:36 UTC
Works for me.

Now please verify the IPv6 package: While it may look smart to generate the
ip6tables initscript from the IPv4 version, it introduces a few bugs:

 - "nat" table is not available in IPv6 netfilter and gives an error
 - there is no IPv6 netfilter connection tracking
 - rmmod_r() calls unload IPv4 netfilter modules

Note You need to log in before you can comment on or make changes to this bug.