frederikmoellers/xtables-monitor

Counters are not applied

Closed this issue · 0 comments

frederikmoellers commented

Counter values are correctly read by xtables-monitor, but they are not applied when applying the generated ruleset.

Example:

$ xtables-monitor -i 4 -av megaera.xtm
Performing setup for IPv4
    Getting interface information
        Interface wlan0
            Address 0: 10.9.10.204/255.255.248.0
    Done.
    Getting counters from current setup.
        Table 'filter'
            Counter 'filter.INPUT': [0:0]
            Counter 'filter.FORWARD': [0:0]
            Counter 'filter.OUTPUT': [3492:452145]
            Counter 'filter.INPUT.allow-established': [2570:1294057]
            Counter 'filter.INPUT.allow-local-wlan0-1': [14:1918]
            Counter 'filter.INPUT.allow-localhost': [0:0]
            Counter 'filter.INPUT.reject': [13:1203]
        Table 'mangle'
            Counter 'mangle.PREROUTING': [2597:1297178]
            Counter 'mangle.INPUT': [2597:1297178]
            Counter 'mangle.FORWARD': [0:0]
            Counter 'mangle.OUTPUT': [3492:452145]
            Counter 'mangle.POSTROUTING': [3506:454063]
        Table 'nat'
            Counter 'nat.PREROUTING': [11:1099]
            Counter 'nat.INPUT': [0:0]
            Counter 'nat.OUTPUT': [298:30254]
            Counter 'nat.POSTROUTING': [298:30254]
        Table 'raw'
            Counter 'raw.PREROUTING': [2597:1297178]
            Counter 'raw.OUTPUT': [3492:452145]
    Done.
    Trying to find template in configuration directory
    Checking '/etc/xtables-monitor/megaera.xtm'
    Found template in '/etc/xtables-monitor/megaera.xtm'
    Starting iptables process
    *raw
    :PREROUTING ACCEPT [2597:1297178]
    :OUTPUT ACCEPT [3492:452145]
    COMMIT
    *nat
    :PREROUTING ACCEPT [11:1099]
    :POSTROUTING ACCEPT [298:30254]
    :OUTPUT ACCEPT [298:30254]
    COMMIT
    *mangle
    :PREROUTING ACCEPT [2597:1297178]
    :INPUT ACCEPT [2597:1297178]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [3492:452145]
    :POSTROUTING ACCEPT [3506:454063]
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [3492:452145]
    [2570:1294057] -A INPUT -m conntrack --ctstate established,related -m comment --comment "XTM:allow-established" -j ACCEPT
    [14:1918] -A INPUT -i wlan0 -s 10.9.10.204/255.255.248.0 -m comment --comment "XTM:allow-local-wlan0-1" -j ACCEPT
    [0:0] -A INPUT -s 127.0.0.1 -m comment --comment "XTM:allow-localhost" -j ACCEPT
    [0:0] -A INPUT -s 10.9.10.204/32 -m comment --comment "XTM:allow-self-wlan0-1" -j ACCEPT
    [0:0] -A INPUT -p icmp -m comment --comment "XTM:allow-icmp" -j ACCEPT
    [13:1203] -A INPUT -m comment --comment "XTM:reject" -j REJECT
    COMMIT
    Return code: 0
Done

$ iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   19  6547 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* XTM:allow-established */
    0     0 ACCEPT     all  --  wlan0  *       10.9.8.0/21          0.0.0.0/0            /* XTM:allow-local-wlan0-1 */
    0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0            /* XTM:allow-localhost */
    0     0 ACCEPT     all  --  *      *       10.9.10.204          0.0.0.0/0            /* XTM:allow-self-wlan0-1 */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            /* XTM:allow-icmp */
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* XTM:reject */ reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 4471 bytes)
 pkts bytes target     prot opt in     out     source               destination