[Devel] [PATCH RHEL10 COMMIT] selftests: netfilter: avoid RULE_REPLACE error when zeroing rule counters

Fri Jan 9 17:32:58 MSK 2026

The commit is pushed to "branch-rh10-6.12.0-55.13.1.2.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-55.13.1.2.29.vz10
------>
commit 8cc4c29182b121bce48b48afaff1f26b07829dac
Author: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
Date:   Sun Jan 4 01:47:25 2026 +0000

    selftests: netfilter: avoid RULE_REPLACE error when zeroing rule counters
    
    The rpath.sh test fails on certain iptables versions when
    attempting to zero all table counters at once via 'iptables -Z'.
    The operation returns
    
      RULE_REPLACE failed (Invalid argument): rule in chain PREROUTING
    
    As a workaround, reset counters by iterating over rules and
    zeroing them individually instead of using a single RULE_REPLACE
    operation.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-121588
    
    Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Feature: fix selftests
---
 tools/testing/selftests/net/netfilter/rpath.sh | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/net/netfilter/rpath.sh b/tools/testing/selftests/net/netfilter/rpath.sh
index 86ec4e68594dc..2272d0ba0f977 100755
--- a/tools/testing/selftests/net/netfilter/rpath.sh
+++ b/tools/testing/selftests/net/netfilter/rpath.sh
@@ -133,8 +133,24 @@ netns_ping() { # (netns, args...)
 }
 
 clear_counters() {
-	[ -n "$iptables" ] && ip netns exec "$ns2" "$iptables" -t raw -Z
-	[ -n "$ip6tables" ] && ip netns exec "$ns2" "$ip6tables" -t raw -Z
+	if [ -n "$iptables" ]; then
+		if ! ip netns exec "$ns2" "$iptables" -t raw -Z 2>/dev/null; then
+			ip netns exec "$ns2" "$iptables" -L PREROUTING -t raw -n --line-numbers | \
+			awk '$1+0>0 {print $1}' | \
+			while read rulenum; do
+				ip netns exec "$ns2" "$iptables" -t raw -Z PREROUTING "$rulenum" 2>/dev/null
+			done
+		fi
+	fi
+	if [ -n "$ip6tables" ]; then
+		if ! ip netns exec "$ns2" "$ip6tables" -t raw -Z 2>/dev/null; then
+			ip netns exec "$ns2" "$ip6tables" -L PREROUTING -t raw -n --line-numbers | \
+			awk '$1+0>0 {print $1}' | \
+			while read rulenum; do
+				ip netns exec "$ns2" "$ip6tables" -t raw -Z PREROUTING "$rulenum" 2>/dev/null
+			done
+		fi
+	fi
 	if [ -n "$nft" ]; then
 		(
 			echo "delete table inet t";
