When a ruleset that does not reset any chain policies/counters, such as *filter COMMIT is sourced by iptables-restore, the previous policy and counters (i.e. the ones read from the kernel) are reused. The counter skew offsetting is wrong however, causing the read value to be readded to the kernel value. This manifests itself in practice by the counter value almost doubling everytime iptables-restore is called. Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx> --- libiptc/libiptc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 670acf5..7a9c742 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -829,7 +829,7 @@ static int __iptcc_p_del_policy(struct xtc_handle *h, unsigned int num) /* save counter and counter_map information */ h->chain_iterator_cur->counter_map.maptype = - COUNTER_MAP_NORMAL_MAP; + COUNTER_MAP_ZEROED; h->chain_iterator_cur->counter_map.mappos = num-1; memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters, sizeof(h->chain_iterator_cur->counters)); -- 1.6.5.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
