statistic match support in iptables snapshots

All of lore.kernel.org
 help / color / mirror / Atom feed

* statistic match support in iptables snapshots
@ 2006-08-31 13:21 Marco Berizzi
  2006-08-31 13:26 ` Patrick McHardy
  0 siblings, 1 reply; 8+ messages in thread
From: Marco Berizzi @ 2006-08-31 13:21 UTC (permalink / raw)
  To: netfilter-devel

I would like to test the new statistic match
before linux 2.6.18 final. May be possible
to include the support library in an iptables
daily snapshots?

TIA

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: statistic match support in iptables snapshots
  2006-08-31 13:21 statistic match support in iptables snapshots Marco Berizzi
@ 2006-08-31 13:26 ` Patrick McHardy
  2006-08-31 14:11   ` Marco Berizzi
  0 siblings, 1 reply; 8+ messages in thread
From: Patrick McHardy @ 2006-08-31 13:26 UTC (permalink / raw)
  To: Marco Berizzi; +Cc: netfilter-devel

Marco Berizzi wrote:
> I would like to test the new statistic match
> before linux 2.6.18 final. May be possible
> to include the support library in an iptables
> daily snapshots?

I've just added it SVN, it should appear in the next snapshot.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: statistic match support in iptables snapshots
  2006-08-31 13:26 ` Patrick McHardy
@ 2006-08-31 14:11   ` Marco Berizzi
  2006-08-31 14:31     ` Patrick McHardy
  0 siblings, 1 reply; 8+ messages in thread
From: Marco Berizzi @ 2006-08-31 14:11 UTC (permalink / raw)
  To: kaber; +Cc: netfilter-devel

Patrick McHardy wrote:

>Marco Berizzi wrote:
> > I would like to test the new statistic match
> > before linux 2.6.18 final. May be possible
> > to include the support library in an iptables
> > daily snapshots?
>
>I've just added it SVN, it should appear in the next snapshot.

oohh thanks a lot for the quick response.
Sorry for breaking you again: is not possible
having multiple counters with 'nth mode'?
I have taken a look at the source code:

"statistic match v%s options:\n"
" --mode mode                    Match mode (random, nth)\n"
" random mode:\n"
" --probability p                Probability\n"
" nth mode:\n"
" --every n                      Match every nth packet\n"
" --packet p                     Initial counter value (0 <= p <= n-1, 
default 0)\n"
"\n",

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: statistic match support in iptables snapshots
  2006-08-31 14:11   ` Marco Berizzi
@ 2006-08-31 14:31     ` Patrick McHardy
  2006-08-31 15:08       ` Marco Berizzi
  2006-09-04 13:05       ` Marco Berizzi
  0 siblings, 2 replies; 8+ messages in thread
From: Patrick McHardy @ 2006-08-31 14:31 UTC (permalink / raw)
  To: Marco Berizzi; +Cc: netfilter-devel

Marco Berizzi wrote:
> Sorry for breaking you again: is not possible
> having multiple counters with 'nth mode'?

No, why is that useful? You can just use multiple matches.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: statistic match support in iptables snapshots
  2006-08-31 14:31     ` Patrick McHardy
@ 2006-08-31 15:08       ` Marco Berizzi
  2006-08-31 15:38         ` Patrick McHardy
  2006-09-04 13:05       ` Marco Berizzi
  1 sibling, 1 reply; 8+ messages in thread
From: Marco Berizzi @ 2006-08-31 15:08 UTC (permalink / raw)
  To: kaber; +Cc: netfilter-devel

Patrick McHardy wrote:

>Marco Berizzi wrote:
> > Sorry for breaking you again: is not possible
> > having multiple counters with 'nth mode'?
>
>No, why is that useful? You can just use multiple matches.

ok, it's clear.

Just the last question. I have tried to insert a couple of
rules with an out of range packet number and the kernel has
eaten them:

iptables -A FORWARD -m statistic --mode nth --every 2 --packet 0 -j ACCEPT
iptables -A FORWARD -m statistic --mode nth --every 2 --packet 1 -j ACCEPT
iptables -A FORWARD -m statistic --mode nth --every 2 --packet 2 -j ACCEPT
iptables -A FORWARD -m statistic --mode nth --every 2 --packet 20 -j ACCEPT

iptables -nvxL
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               
destination
       0        0 ACCEPT     0    --  *      *       0.0.0.0/0            
0.0.0.0/0           statistic mode nth every 2
       0        0 ACCEPT     0    --  *      *       0.0.0.0/0            
0.0.0.0/0           statistic mode nth every 2 packet 1
       0        0 ACCEPT     0    --  *      *       0.0.0.0/0            
0.0.0.0/0           statistic mode nth every 2 packet 2
       0        0 ACCEPT     0    --  *      *       0.0.0.0/0            
0.0.0.0/0           statistic mode nth every 2 packet 20

uname -a
Linux Calimero 2.6.18-rc5 #1 PREEMPT Mon Aug 28 10:25:52 CEST 2006 i686 
unknown unknown GNU/Linux

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: statistic match support in iptables snapshots
  2006-08-31 15:08       ` Marco Berizzi
@ 2006-08-31 15:38         ` Patrick McHardy
  0 siblings, 0 replies; 8+ messages in thread
From: Patrick McHardy @ 2006-08-31 15:38 UTC (permalink / raw)
  To: Marco Berizzi; +Cc: netfilter-devel

Marco Berizzi wrote:
> Patrick McHardy wrote:
> 
>> Marco Berizzi wrote:
>> > Sorry for breaking you again: is not possible
>> > having multiple counters with 'nth mode'?
>>
>> No, why is that useful? You can just use multiple matches.
> 
> 
> ok, it's clear.
> 
> Just the last question. I have tried to insert a couple of
> rules with an out of range packet number and the kernel has
> eaten them:
> 
> iptables -A FORWARD -m statistic --mode nth --every 2 --packet 0 -j ACCEPT
> iptables -A FORWARD -m statistic --mode nth --every 2 --packet 1 -j ACCEPT
> iptables -A FORWARD -m statistic --mode nth --every 2 --packet 2 -j ACCEPT
> iptables -A FORWARD -m statistic --mode nth --every 2 --packet 20 -j ACCEPT


Mhh thats more something for userspace to catch in my opinion,
I'll add a check there.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: statistic match support in iptables snapshots
  2006-08-31 14:31     ` Patrick McHardy
  2006-08-31 15:08       ` Marco Berizzi
@ 2006-09-04 13:05       ` Marco Berizzi
  2006-09-04 13:37         ` Patrick McHardy
  1 sibling, 1 reply; 8+ messages in thread
From: Marco Berizzi @ 2006-09-04 13:05 UTC (permalink / raw)
  To: kaber; +Cc: netfilter-devel

Patrick McHardy wrote:

>Marco Berizzi wrote:
> > Sorry for breaking you again: is not possible
> > having multiple counters with 'nth mode'?
>
>No, why is that useful? You can just use multiple matches.

Hi Patrick,

me again sorry.
I'm testing 2.6.18-rc6 + iptables-1.3.5-20060902
I'm trying to do a simple load-balacing between
two adsl lines.
This is my postrouting chain in the nat table:

6455   387300 SNAT       tcp  --  *      eth0    hdsl_ip      !172.16.0.0/12 
       multiport dports 20,21,80,123,443,2080,8080,8201,10000,8102,1443 
statistic mode nth every 2 to:adsl_b_ip
3227   193620 SNAT       tcp  --  *      eth0    hdsl_ip      !172.16.0.0/12 
       multiport dports 20,21,80,123,443,2080,8080,8201,10000,8102,1443 
statistic mode nth every 2 packet 1 to:adsl_a_ip

This is a tcpdump capture taken on the eth0 (external nic):

14:46:16.783465 IP (tos 0x0, ttl  64, id 28099, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.3808 > 217.199.3.51.80: S,
14:46:17.493837 IP (tos 0x0, ttl  64, id 1810, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.2130 > 217.199.3.51.80: S,
14:46:17.634456 IP (tos 0x0, ttl  64, id 59103, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.3929 > 217.199.3.34.80: S,
14:46:17.672954 IP (tos 0x0, ttl  64, id 25522, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.1291 > 217.199.3.51.80: S,
14:46:19.316781 IP (tos 0x0, ttl  64, id 5334, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.3296 > 207.46.115.7.80: S,
14:46:20.231297 IP (tos 0x0, ttl  64, id 18663, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.3196 > 207.46.115.13.80: S,
14:46:21.186856 IP (tos 0x0, ttl  64, id 12641, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.1196 > 216.120.228.12.80: S,
14:46:27.217423 IP (tos 0x0, ttl  64, id 54559, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.2128 > 207.46.115.14.80: S,
14:46:27.919826 IP (tos 0x0, ttl  64, id 25297, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.4349 > 207.46.115.3.80: S,
14:46:31.697147 IP (tos 0x0, ttl  64, id 21406, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.1545 > 207.46.115.6.80: S,
14:46:32.484631 IP (tos 0x0, ttl  64, id 2001, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.4650 > 207.46.115.14.80: S,
14:46:34.996772 IP (tos 0x0, ttl  64, id 16676, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.2644 > 195.149.150.239.80: S,
14:46:35.726995 IP (tos 0x0, ttl  64, id 36671, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.3929 > 85.248.115.230.80: S,

As you may see sometimes the hdsl_ip isn't nated,
so I have modified the the rule:

421    25260 SNAT       tcp  --  *      eth0    hdsl_ip      !172.16.0.0/12  
      multiport dports 20,21,80,123,443,2080,8080,8201,10000,8102,1443 
statistic mode nth every 2 to:adsl_b_ip
211    12660 SNAT       tcp  --  *      eth0    hdsl_ip      !172.16.0.0/12  
      multiport dports 20,21,80,123,443,2080,8080,8201,10000,8102,1443 
statistic mode nth every 2 to:adsl_a_ip

but results doesn't change...
Am I missing anything?

14:55:39.524501 IP (tos 0x0, ttl  64, id 55823, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.2843 > 207.46.115.7.80: S,
14:55:39.535730 IP (tos 0x0, ttl  64, id 13613, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.3219 > 64.202.119.131.80: S,
14:55:40.468068 IP (tos 0x0, ttl  64, id 12719, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.2253 > 207.46.115.13.80: S,
14:55:40.779029 IP (tos 0x0, ttl  64, id 35299, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.3051 > 72.14.221.147.80: S,
14:55:45.413782 IP (tos 0x0, ttl  64, id 5390, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.3908 > 194.20.158.101.80: S,
14:55:45.702878 IP (tos 0x0, ttl  64, id 9809, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.1443 > 195.110.122.162.80: S,
14:55:45.972760 IP (tos 0x0, ttl  64, id 31590, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.2182 > 195.110.122.162.80: S,
14:55:46.322893 IP (tos 0x0, ttl  64, id 4527, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.1222 > 195.110.122.162.80: S,
14:55:46.360383 IP (tos 0x0, ttl  64, id 64233, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.4970 > 207.46.115.2.80: S,
14:55:46.456994 IP (tos 0x0, ttl  64, id 56844, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.4875 > 195.110.126.136.80: S,
14:55:46.564861 IP (tos 0x0, ttl  64, id 34169, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.4448 > 212.239.41.101.80: S,
14:55:48.146673 IP (tos 0x0, ttl  64, id 964, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.2207 > 207.46.115.3.80: S,
14:55:48.575692 IP (tos 0x0, ttl  64, id 62414, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.1461 > 213.92.76.114.80: S,
14:55:48.710787 IP (tos 0x0, ttl  64, id 30414, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.3742 > 212.162.68.25.80: S,
14:55:49.454996 IP (tos 0x0, ttl  64, id 56845, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.4875 > 195.110.126.136.80: S,
14:55:50.086620 IP (tos 0x0, ttl  64, id 54523, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.2023 > 213.92.76.114.80: S,
14:55:50.297110 IP (tos 0x0, ttl  64, id 49994, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.4284 > 207.46.115.8.80: S,
14:55:52.519131 IP (tos 0x0, ttl  64, id 919, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.1180 > 207.46.115.14.80: S,
14:55:52.569335 IP (tos 0x0, ttl  64, id 60555, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.4164 > 207.46.115.6.80: S,
14:55:53.318467 IP (tos 0x0, ttl  64, id 1412, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.1104 > 207.46.115.6.80: S,
14:55:53.952161 IP (tos 0x0, ttl  64, id 31980, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.4005 > 213.92.76.114.80: S,
14:55:54.102702 IP (tos 0x0, ttl  64, id 36293, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.3646 > 213.92.76.114.80: S,
14:55:55.914552 IP (tos 0x0, ttl  64, id 9611, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.3636 > 194.20.158.101.80: S,
14:55:56.230173 IP (tos 0x0, ttl  64, id 57379, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.4272 > 195.110.122.162.80: S,
14:55:56.363610 IP (tos 0x0, ttl  64, id 25956, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.1527 > 207.46.115.2.80: S,
14:55:57.472111 IP (tos 0x0, ttl  64, id 9560, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.4967 > 72.14.221.99.80: S,
14:55:57.980268 IP (tos 0x0, ttl  64, id 9540, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.4185 > 72.14.221.104.80: S,
14:55:59.532299 IP (tos 0x0, ttl  64, id 62589, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.1091 > 207.46.115.7.80: S,
14:56:00.471094 IP (tos 0x0, ttl  64, id 24450, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_a.3713 > 207.46.115.13.80: S,
14:56:00.636757 IP (tos 0x0, ttl  64, id 37289, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.2526 > 195.110.122.162.80: S,
14:56:01.101303 IP (tos 0x0, ttl  64, id 38086, offset 0, flags [DF], proto: 
TCP (6), length: 60) hdsl_ip.1506 > 195.110.126.136.80: S,
14:56:01.292540 IP (tos 0x0, ttl  64, id 3092, offset 0, flags [DF], proto: 
TCP (6), length: 60) adsl_ip_b.3287 > 217.212.240.172.80: S,

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: statistic match support in iptables snapshots
  2006-09-04 13:05       ` Marco Berizzi
@ 2006-09-04 13:37         ` Patrick McHardy
  0 siblings, 0 replies; 8+ messages in thread
From: Patrick McHardy @ 2006-09-04 13:37 UTC (permalink / raw)
  To: Marco Berizzi; +Cc: netfilter-devel

Marco Berizzi wrote:
> 6455   387300 SNAT       tcp  --  *      eth0    hdsl_ip     
> !172.16.0.0/12       multiport dports
> 20,21,80,123,443,2080,8080,8201,10000,8102,1443 statistic mode nth every
> 2 to:adsl_b_ip
> 3227   193620 SNAT       tcp  --  *      eth0    hdsl_ip     
> !172.16.0.0/12       multiport dports
> 20,21,80,123,443,2080,8080,8201,10000,8102,1443 statistic mode nth every
> 2 packet 1 to:adsl_a_ip
> 
> This is a tcpdump capture taken on the eth0 (external nic):
> 
> 14:46:16.783465 IP (tos 0x0, ttl  64, id 28099, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_a.3808 > 217.199.3.51.80: S,
> 14:46:17.493837 IP (tos 0x0, ttl  64, id 1810, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_b.2130 > 217.199.3.51.80: S,
> 14:46:17.634456 IP (tos 0x0, ttl  64, id 59103, offset 0, flags [DF],
> proto: TCP (6), length: 60) hdsl_ip.3929 > 217.199.3.34.80: S,
> 14:46:17.672954 IP (tos 0x0, ttl  64, id 25522, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_b.1291 > 217.199.3.51.80: S,
> 14:46:19.316781 IP (tos 0x0, ttl  64, id 5334, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_a.3296 > 207.46.115.7.80: S,
> 14:46:20.231297 IP (tos 0x0, ttl  64, id 18663, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_b.3196 > 207.46.115.13.80: S,
> 14:46:21.186856 IP (tos 0x0, ttl  64, id 12641, offset 0, flags [DF],
> proto: TCP (6), length: 60) hdsl_ip.1196 > 216.120.228.12.80: S,
> 14:46:27.217423 IP (tos 0x0, ttl  64, id 54559, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_b.2128 > 207.46.115.14.80: S,
> 14:46:27.919826 IP (tos 0x0, ttl  64, id 25297, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_a.4349 > 207.46.115.3.80: S,
> 14:46:31.697147 IP (tos 0x0, ttl  64, id 21406, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_b.1545 > 207.46.115.6.80: S,
> 14:46:32.484631 IP (tos 0x0, ttl  64, id 2001, offset 0, flags [DF],
> proto: TCP (6), length: 60) hdsl_ip.4650 > 207.46.115.14.80: S,
> 14:46:34.996772 IP (tos 0x0, ttl  64, id 16676, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_b.2644 > 195.149.150.239.80: S,
> 14:46:35.726995 IP (tos 0x0, ttl  64, id 36671, offset 0, flags [DF],
> proto: TCP (6), length: 60) adsl_ip_a.3929 > 85.248.115.230.80: S,
> 
> As you may see sometimes the hdsl_ip isn't nated,
> so I have modified the the rule:
> 
> 421    25260 SNAT       tcp  --  *      eth0    hdsl_ip     
> !172.16.0.0/12       multiport dports
> 20,21,80,123,443,2080,8080,8201,10000,8102,1443 statistic mode nth every
> 2 to:adsl_b_ip
> 211    12660 SNAT       tcp  --  *      eth0    hdsl_ip     
> !172.16.0.0/12       multiport dports
> 20,21,80,123,443,2080,8080,8201,10000,8102,1443 statistic mode nth every
> 2 to:adsl_a_ip
> 
> but results doesn't change...
> Am I missing anything?

All NAT targets are terminal, so the first rule already eats half the
packets and the second one only matches on one half of the remaining
half. Try without nth in the second line.

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2006-09-04 13:37 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-31 13:21 statistic match support in iptables snapshots Marco Berizzi
2006-08-31 13:26 ` Patrick McHardy
2006-08-31 14:11   ` Marco Berizzi
2006-08-31 14:31     ` Patrick McHardy
2006-08-31 15:08       ` Marco Berizzi
2006-08-31 15:38         ` Patrick McHardy
2006-09-04 13:05       ` Marco Berizzi
2006-09-04 13:37         ` Patrick McHardy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.