Iptable extension "--bytes-gt" not updating ipset counters after update to rhel 7.6

Posted on

Hi,
our ipset and iptables match set rules are not updating ipset packet and bytes counter rules after update to rhel 7.6.
We have configured custom iptable and ipset rules limit_up + limit_down to limit upload and download data limit for a specific tap interfaces.

This is maybe bug, but probably we have missed some configuration changes for new versions of ipset and iptables packages.

create limit_down hash:net,iface family inet hashsize 1024 maxelem 65536 counters
ipset add limit_down 192.168.2.2,wnet1

iptables -A PREROUTING -m set --match-set limit_up src,src --bytes-gt 1152921504606846976 -j DROP
iptables -A POSTROUTING -m set --match-set limit_down dst,dst --bytes-gt 1152921504606846976 -j DROP

ipset list limit_down

Name: limit_down
Type: hash:net,iface
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 counters
Size in memory: 600
References: 1
Number of entries: 1
Members:
192.168.2.2,wnet1 packets 0 bytes 0

uname -a

Linux ba-vreplserver1-b 3.10.0-957.27.2.el7.x86_64 #1 SMP Tue Jul 9 16:53:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.6 (Maipo)

Packages installed :
kernel-devel-3.10.0-957.27.2.el7.x86_64
kernel-3.10.0-957.27.2.el7.x86_64
kernel-3.10.0-957.el7.x86_64
kernel-tools-3.10.0-957.27.2.el7.x86_64
kernel-tools-libs-3.10.0-957.27.2.el7.x86_64
kernel-headers-3.10.0-957.27.2.el7.x86_64

iptables-services-1.4.21-33.el7.x86_64
iptables-1.4.21-33.el7.x86_64

ipset-7.1-1.el7.x86_64
ipset-libs-7.1-1.el7.x86_64
ipset-service-7.1-1.el7.noarch

Workaround for this is to LOG packets going via the same table and chain, the ipset counters are then updated as previous.

iptables -t mangle -L POSTROUTING -n -v

Chain POSTROUTING (policy ACCEPT 376075 packets, 527 bytes)
pkts bytes target prot opt in out source destination
376075 527 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 match-set limit_down dst,dst LOG flags 0 level 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set limit_down dst,dst bytes-gt 1152921504606846976
376075 527 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save

ipset list limit_down

Name: limit_down
Type: hash:net,iface
Revision: 3
Header: family inet hashsize 1024 maxelem 65536 counters
Size in memory: 23856
References: 1
Members:
192.168.2.2,wnet2 packets 376075 bytes 527

SZ

Responses