[Devel] [PATCH vz10] selftests: netfilter: avoid RULE_REPLACE error when zeroing rule counters
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Mon Jan 5 12:18:58 MSK 2026
Looks good. (presuming awk filtering / xargs work)
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
p.s.: Do we know the iptables version where this problem does not happen? Do we want to ask devops to update iptables to this newer version?
On 1/4/26 09:47, Aleksei Oladko wrote:
> The rpath.sh test fails on certain iptables versions when
> attempting to zero all table counters at once via 'iptables -Z'.
> The operation returns
>
> RULE_REPLACE failed (Invalid argument): rule in chain PREROUTING
>
> As a workaround, reset counters by iterating over rules and
> zeroing them individually instead of using a single RULE_REPLACE
> operation.
>
> https://virtuozzo.atlassian.net/browse/VSTOR-121588
>
> Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
> ---
> tools/testing/selftests/net/netfilter/rpath.sh | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/tools/testing/selftests/net/netfilter/rpath.sh b/tools/testing/selftests/net/netfilter/rpath.sh
> index 86ec4e68594d..1b15daa2e2da 100755
> --- a/tools/testing/selftests/net/netfilter/rpath.sh
> +++ b/tools/testing/selftests/net/netfilter/rpath.sh
> @@ -133,8 +133,12 @@ netns_ping() { # (netns, args...)
> }
>
> clear_counters() {
> - [ -n "$iptables" ] && ip netns exec "$ns2" "$iptables" -t raw -Z
> - [ -n "$ip6tables" ] && ip netns exec "$ns2" "$ip6tables" -t raw -Z
> + [ -n "$iptables" ] && ip netns exec "$ns2" "$iptables" -t raw -Z || \
> + ip netns exec "$ns2" bash -c "'$iptables' -L PREROUTING -t raw -n --line-numbers | \
> + awk '\$1+0>0 {print \$1}' | xargs -rL1 '$iptables' -t raw -Z PREROUTING"
> + [ -n "$ip6tables" ] && ip netns exec "$ns2" "$ip6tables" -t raw -Z || \
> + ip netns exec "$ns2" bash -c "'$ip6tables' -L PREROUTING -t raw -n --line-numbers | \
> + awk '\$1+0>0 {print \$1}' | xargs -rL1 '$ip6tables' -t raw -Z PREROUTING"
> if [ -n "$nft" ]; then
> (
> echo "delete table inet t";
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list