iptables bad byte counter?!?

iptables bad byte counter?!?

[Torge Szczepanek]

Hi!

I am using iptables 1.2.5 on SuSE 8.0 using the standard SuSE kernel
2.4.18-4GB, with some minor modifications (I increased the number of
maximum devices in net/core/dev.c, which is normally limited to 100). I
am accounting traffic using iptables [...] -n -v -x -Z. I am doing this
hourly.

Sometimes (once a day) iptables is reporting the wrong byte counter for
only some (about 10) ip adresses out of 400. 

All my users are on a vpn connection (poptop) server and I am setting up
a rule for every user by executing the following in my /etc/ppp/ip-up
script:

iptables -A TRAFFIC -i eth0 -o ppp+ -s ! x.y.0.0/16 -d $SUBNET/24 -j
TRAF$SUBNET
$IPTAB -A TRAF$SUBNET -d $5

(I only want to account incoming traffic, which is not comming from a
specific Class-B network). In my crontab I have a script, that is
dumping the iptables output to a file.

I am getting byte counters like this:

18446744073707058701

The byte counters differ (18446744073707 is mostly the same) so I think
this might be an overflow of a (longint?!?) counter.

The machine is under very heavy load, because it terminates more vpn
connections than planned. This does not happen on another machine, which
is under normal load. The other machine has EXACTLY the same setup as
the machine where I have these problems.

I am sorry that I cannot provide more detailed information about this
behaviour, since I can not play with my machine setup, because there are
about 2300 possible users, who would get very angry. :-]

Is this already known?!?

As a small bugfix I am now grepping out traffic, which has a byte
counter beginning with 184467440737. I am also writing on a trafficlog
daemon, which is doing the accounting using libipulog, which is very
more efficient, since I do not have to setup single rules for every user
and do not have to traverse many iptables chains for every packet (just
one single rule to log all traffic to userspace).

Re: iptables bad byte counter?!?

[Henrik Nordstrom]

Torge Szczepanek wrote:

> I am getting byte counters like this:
>
> 18446744073707058701

Very much looks like a negative number.. the above is the same as 64 bit 
integer -2492915 printed as a unsigned value.

> The byte counters differ (18446744073707 is mostly the same) so I think
> this might be an overflow of a (longint?!?) counter.

Very unlikely as it is 64 bits in size and unsigned..

Regards
Henrik

Re: iptables bad byte counter?!?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1037 bytes --]

On Wed, Jun 05, 2002 at 09:29:54PM +0200, Henrik Nordstrom wrote:
> Torge Szczepanek wrote:
> 
> > I am getting byte counters like this:
> >
> > 18446744073707058701
> 
> Very much looks like a negative number.. the above is the same as 64 bit 
> integer -2492915 printed as a unsigned value.
> 
> > The byte counters differ (18446744073707 is mostly the same) so I think
> > this might be an overflow of a (longint?!?) counter.
> 
> Very unlikely as it is 64 bits in size and unsigned..

no, this is clearly a problem within the 32bit-userspace / 64bit kernelspace
handling of iptables.

Don't assume any reasonable value to be in the counters on sparc64.

> Regards
> Henrik

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

iptables bad byte counter?!?

[Erik Wasser]

Hello list,

I'm quoting here a real old message from the netfilter-devel list:

> Subject: iptables bad byte counter?!?
> From: Torge Szczepanek
> Date: 05 Jun 2002 21:07:35 +0200

You can find the complete mail here: 
http://lists.netfilter.org/pipermail/netfilter-devel/2002-June/008038.html

Torge got problems with the byte counter during the output of the logged 
traffic. I've got the same problems here to. Here's an example line 
of "iptables --list --verbose --numeric --exact":

> Chain INPUT (policy ACCEPT 2086 packets, 252096 bytes)
>     pkts      bytes target     prot opt in     out...
> 18446744073709551148 18446744073709508226 ACCEPT   all  --  eth0 *...
> 18446744073709548061 18446744073708196250 ACCEPT   all  --  *    *...

These values are of course ridiculous for a 5 minute interval. In the 
normal case the output looks like this:

> Chain INPUT (policy ACCEPT 3458 packets, 421710 bytes)
>     pkts      bytes target     prot opt in     out...
>    16886  1481496 ACCEPT     all  --    eth0   *...
>    20932  2638562 ACCEPT     all  --    *      *...

I'm using kernel 2.6.18-92.1.17.el5 and iptables-1.3.5-4.el5 on a cent 
os 5.2 computer (x86_64)

The last comment to the original mail was the followng:

> no, this is clearly a problem within the 32bit-userspace / 64bit
> kernelspace handling of iptables.

Is that true? The original report of this "bug" is 7 years ago. 
Shouldn't it be fixed since then? What is the causing this 
misunderstanding? Is this bug fixable?

-- 
So long... Fuzz

Re: iptables bad byte counter?!?

[G.W. Haywood]

Hi there,

On Tue, 10 Mar 2009, Erik Wasser wrote:

> Hello list,
>
> > Chain INPUT (policy ACCEPT 2086 packets, 252096 bytes)
> >     pkts      bytes target     prot opt in     out...
> > 18446744073709551148 18446744073709508226 ACCEPT   all  --  eth0 *...
> > 18446744073709548061 18446744073708196250 ACCEPT   all  --  *    *...
>
> [...]
>
> The last comment to the original mail was the followng:
>
> > no, this is clearly a problem within the 32bit-userspace / 64bit
> > kernelspace handling of iptables.
>
> Is that true?

~$ >>> echo '18446744073709551148/(65536*65536*65536*65536)' | bc -l
.99999999999999997462

Looks that way.

--

73,
Ged.

Re: iptables bad byte counter?!?

[Erik Wasser]

On Tuesday 10 March 2009, you wrote:

> > The last comment to the original mail was the followng:
> > > no, this is clearly a problem within the 32bit-userspace / 64bit
> > > kernelspace handling of iptables.
> >
> > Is that true?
>
> ~$ >>> echo '18446744073709551148/(65536*65536*65536*65536)' | bc -l
> .99999999999999997462

Well... aren't those bugs easy to fix? I'm just asking because the 
results are correctly in 99% of the time. So why is the transfer from 
the data failing (only) in 1% of the time? If there is anything that I 
can do or test to nail down this bug?

I can give you more infos about the route if it's necessary, that should 
not be a problem.

-- 
So long... Fuzz