iptables exceeds quota when a new rule is added

Question

I've got iptables working on Centos 7, using version v1.4.21 but also tested on v1.6.0 (mind you I didn't rebuild the kernel since it says I no longer need to for the extensions).

I set up a quota and it gets used:

# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
    3639  3999378 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
     142   175468 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
#

Then as I add any other rule to this chain, the existing rule "resets" the bytes usage and uses up the quota again:

# iptables -I 192.168.2.5 -m quota --quota 1000 -j ACCEPT
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       2      168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 1000 bytes
    7239  7998334 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
     890   387931 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Even when not exceeded, this behavior always adds the quota amount to the rule, even though I am affecting a different rule:

# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
     379    67755 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
# iptables -I 192.168.2.5 -m quota --quota 1000 -j ACCEPT
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       2      168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 1000 bytes
     379    67755 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
      11      924 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 1000 bytes
    4159  4066453 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
     315   190056 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

This seems to be a bug, and perhaps related to this one.

Any ideas? My one workaround is to capture the bytes myself and add them to the quota of the new rule. That works well when it's already exceeded, but if not, I might miss out bytes due to the gap between reading, calculating, deleting and adding.

A.B · Accepted Answer · 2016-09-11T14:44:20.890

2

Reading the other question you linked and testing, I can only conclude that the quota module isn't very useful: resets whenever something changes.

That's surely why there's an other module called quota2! It's not part of iptables, but of xtables-addons. In Debian it's available and compiled at intallation with xtables-addons-dkms. I think you will have to compile it yourself in CentOS7.

Three excerpts from the man page (can be found here:xtables-addons.8)

The value of the counter can be read and reset through procfs, thereby making this match a minimalist accounting tool.

.

--name name
Assign the counter a specific name. This option must be present,

The quota appears in /proc/net/xt_quota/name and is read/write

--quota iq
Specify the initial quota for this counter. If the counter already exists, it is not reset.

That means some logic outside of iptables itself must be used (for example saving remaining quotas and restoring at boot if you had to reboot the server), but this would surely solve your problems.

edited Sep 11 '16 at 14:44

answered Sep 11 '16 at 14:35

A.B

9,037
2
19
37

looks like you're onto something. i compiled it and installed it but I don't seem to be able to make use of any of the xtables-addons on my centos 7. – ericosg Sep 12 '16 at 11:28
Looking around I found precompiled packages (didn't try anything). Maybe you could try those in a VM at least to asses the usefulness and see later what to do. Whatever the method expect a recompilation whenever there is a kernel upgrade for the kernel module part, so you'd need a non-production server to avoid leaving a compiler around ... packages there: https://pkgs.org/centos-7/lux/xtables-addons-2.10-1.el7.lux.x86_64.rpm.html – A.B Sep 12 '16 at 16:27
i forgot to mark it as correct (thanks!), and lux-release contains xtables-addons which is available for Centos 7 (note that it does not seem to work on 7.4) – ericosg Sep 20 '17 at 19:07
initial xt_quota [is being reworked to not lose the quota on rule updates anymore](https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=next-20181031&id=e9837e55b0200da544a095a1fca36efd7fd3ba30), but it's not yet done, [the previous patch was reverted for now do to 32bits arch concerns](https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=next-20181031&id=af510ebd8913bee016492832f532ed919b51c09c) – A.B Oct 31 '18 at 19:59

iptables exceeds quota when a new rule is added

1 Answers1