ericosg's questions

I've got iptables working on Centos 7, using version v1.4.21 but also tested on v1.6.0 (mind you I didn't rebuild the kernel since it says I no longer need to for the extensions).

I set up a quota and it gets used:

# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
    3639  3999378 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
     142   175468 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
#

Then as I add any other rule to this chain, the existing rule "resets" the bytes usage and uses up the quota again:

# iptables -I 192.168.2.5 -m quota --quota 1000 -j ACCEPT
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       2      168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 1000 bytes
    7239  7998334 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
     890   387931 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Even when not exceeded, this behavior always adds the quota amount to the rule, even though I am affecting a different rule:

# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
     379    67755 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
# iptables -I 192.168.2.5 -m quota --quota 1000 -j ACCEPT
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       2      168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 1000 bytes
     379    67755 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
    pkts      bytes target     prot opt in     out     source               destination
      11      924 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 1000 bytes
    4159  4066453 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            quota: 4000000 bytes
     315   190056 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

This seems to be a bug, and perhaps related to this one.

Any ideas? My one workaround is to capture the bytes myself and add them to the quota of the new rule. That works well when it's already exceeded, but if not, I might miss out bytes due to the gap between reading, calculating, deleting and adding.

Due to a bug (similar to this one) i'm facing with iptables in Centos 7, I'd like to update the version of iptables.

# yum update iptables
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.coreix.net
 * epel: mirror.de.leaseweb.net
 * extras: mirrors.coreix.net
 * updates: mirrors.coreix.net
No packages marked for update
# iptables -V
iptables v1.4.21

So I figured I'd update to either the latest (from their git) or to the tagged 1.6.0.

I managed to add the libraries needed to get ./autogen.sh to run, then managed to ./configure --disable-nftables and make and make install.

Now i'm not sure how I can run this version to test it, and how to implement it if it works as the default iptables.