38

I came across the following config file:

# Generated by iptables-save v1.3.1 on Sun Apr 23 06:19:53 2006
*filter
:INPUT ACCEPT [368:102354]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92952:20764374]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
COMMIT
# Completed on Sun Apr 23 06:19:53 2006

Does anyone know what [368:102354], [0:0] and [92952:20764374] mean?

Mikhail Morfikov
  • 10,549
  • 1
    You can change them to 0 if you want to save your config in a file. That won't hurt except that it will of course reset the values when you restore it. – Totor Jan 07 '14 at 10:23
  • 1
    @Totor does it make any difference if you remove the numbers completely from the config file? it sounds like they are a report rather than a configuration so why are they in a configuration file? – barlop Jun 15 '15 at 21:36

2 Answers2

36

The two values correspond to the number of packets and the number of bytes that the chain's default policy has been applied to so far (see this other answer for details).

According to the source code in iptables-save.c itself:

/* Dump out chain names first,
 * thereby preventing dependency conflicts */
for (chain = iptc_first_chain(h);
     chain;
     chain = iptc_next_chain(h)) {

    printf(":%s ", chain);
    if (iptc_builtin(chain, h)) {
        struct xt_counters count;
        printf("%s ", iptc_get_policy(chain, &count, h));
        printf("[%llu:%llu]\n", 
               (unsigned long long)count.pcnt, 
               (unsigned long long)count.bcnt);
    } else {
        printf("- [0:0]\n");
    }
}

And, the structure xt_counters is defined as follow in include/linux/netfilter/x_tables.h:

struct xt_counters {
    __u64 pcnt, bcnt; /* Packet and byte counters */
};

Note also that chains which are not builtin are marked with [0:0] anyway (it's a quirk in the code).

Community
  • 1
perror
  • 3,239
  • 7
  • 33
  • 45
11

The two numbers are the number of packets and bytes respectively that the default policy has been applied to (not the total number of packets/bytes seen by the chain). They are specified together with the default policy for the chain - this is because they logically belong there, not because there was no better place.

The default policy is the action that is performed on the packet when no rule with a terminating target has matched. A terminating target is one that stops further processing of the rules in the current top-level chain. For example, targets like ACCEPT or DROP are terminating, while LOG is not.

In the example configuration in this question the last rule in the INPUT chain is to DROP everything, so the default policy will never be applied and the counters should normally remain at 0. Non-zero values (368 packets, 102354 bytes) can be explained by the traffic that took place before the "drop-all" rule was added to the chain.

Non-builtin chains cannot have default policy by definition, because the default action is always to return to the chain they were called from, that is why they always have counter values of 0.

user56143
  • 111
  • You may consider adding this to the documentation of iptables-save (manpage)... Don't you think ? :-) – perror Jan 07 '14 at 17:02
  • I saved rules in my iptables using iptables-save and I got: :INPUT DROP [0:0] and :OUTPUT ACCEPT [249529:173953830]. So, I think the person who created the config file didn't pay attention to those numbers. But now, everything is pretty clear. – Mikhail Morfikov Jan 08 '14 at 02:21