From: "Nestor A. Diaz" <nestor@tiendalinux.com>
To: netfilter@vger.kernel.org
Subject: Re: Clarification on the use of the statistic module
Date: Fri, 12 Jul 2013 11:55:34 -0500 [thread overview]
Message-ID: <51E03506.6020107@tiendalinux.com> (raw)
In-Reply-To: <51DF3CAC.7070507@plouf.fr.eu.org>
Hi,Thank you very much for the explanation, that makes things more clear
for me now.
> Each occurence of the statistic match has its own individual counter.
>
>> According to your suggestion if i remove the line with the "-j ACCEPT"
>> then the statistic log as I want and in fact it does.
>>
>> However if i jump to a 'DNAT' directly, the problem persist as (50/25)
>> it doesn't work as i have read from some websites
> Of course. Like ACCEPT, DNAT is also a terminal target.
Ok, good to know :)
>> As solution if I want to jump to DNAT directly then i have to decrease
>> the 'every' option as follows which do what i want:
>>
>> # This works:
>> /sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
>> 2 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
>> DNAT --to-destination 192.168.2.20:7101
>> /sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
>> 1 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
>> DNAT --to-destination 192.168.2.20:7102
> You realize that "--every 1" does not make any sense and it is much
> simpler to just remove the statistic match in that rule, don't you ?
Yes, but as a personal preference: 'Explicit is better than implicit, no
matter how obvious is'.
I usually make my own bash functions, something like this:
balance tcp eth1 192.168.1.1 7100 0.0.0.0/0 eth0 192.168.2.20 2 7101
which translates to: balance every tcp packet coming from eth1 interface
with destination ip address 192.168.1.1 and port 7100 coming from
0.0.0.0/0 then dnat via eth0 to 192.168.2.20 ip address and balance
between 2 ports incrementing the port by one starting at 7101.
This is the bash function i use and is now working:
balance() {
DNAT_PROT=${1}
DNAT_IN_IFACE=${2}
DNAT_IN_IP=${3}
DNAT_IN_PORT=${4}
DNAT_IN_NET=${5}
DNAT_OUT_IFACE=${6}
DNAT_OUT_IP=${7}
DNAT_OUT_EVERY=${8}
DNAT_OUT_PORT=${9}
case $MASQMETHOD in
netfilter)
for i in `seq 1 $((${DNAT_OUT_EVERY})) | sort -r`
do
balance_port=$((${DNAT_OUT_PORT}+${DNAT_OUT_EVERY}-${i}))
$IPTABLES -t nat -A prerouting_rule \
-m statistic --mode nth --every ${i} --packet 0 \
-i ${DNAT_IN_IFACE} -s ${DNAT_IN_NET} -d
${DNAT_IN_IP} -p ${DNAT_PROT} --dport ${DNAT_IN_PORT} \
-j DNAT --to-destination ${DNAT_OUT_IP}:${balance_port}
$IPTABLES -A forwarding_rule -i ${DNAT_IN_IFACE} -o
${DNAT_OUT_IFACE} -s ${DNAT_IN_NET} -d ${DNAT_OUT_IP} -p ${DNAT_PROT}
--dport ${balance_port} -j ACCEPT
$IPTABLES -A forwarding_rule -i ${DNAT_OUT_IFACE} -o
${DNAT_IN_IFACE} -s ${DNAT_OUT_IP} -d ${DNAT_IN_NET} -p ${DNAT_PROT}
--sport ${balance_port} -j ACCEPT
done
;;
esac
}
This way i don't have to type the whole iptables pastoril
Even the OpenWRT firewall which is one of the best shell scripts i have
seen for managing iptables always put '-t filter ' no matter if that is
the default.
>> I am experimenting with the behavior and if I jump to custom chain which
>> performs other operations like 'log' statistics keep working as
>> expected. (50/50) however if i put a 'DNAT' rule things become (50/25),
>> it seems DNAT affects the behavior but i don't know why, Any
>> explanation for this will be appreciated.
> Jumping to a user-defined chain is a good idea if multiple actions are
> associated to the same statistic match (e.g. LOG and DNAT). However it
> won't change the fact that terminal targets such as ACCEPT, DROP,
> REJECT, DNAT... prevent further rules to see the packet, thus change the
> actual ratio of further statistic matches.
>
> If the first statistic match takes 1 over N packets, then the next
> statistic match will see only the remaining packets, i.e. N-1 over N,
> not N. So if you want it to also take 1 over N of all packets, it means
> 1 over N-1 of the remaining packets. And so on. This is why you had to
> decrease the 'every' option. The last rule will take all the remaining
> packets without the need for a statistic match
Slds.
--
Typed on my key64.org keyboard
Nestor A Diaz
next prev parent reply other threads:[~2013-07-12 16:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-10 15:12 Clarification on the use of the statistic module Nestor A. Diaz
2013-07-11 9:10 ` Pascal Hambourg
2013-07-11 18:49 ` Nestor A. Diaz
2013-07-11 23:15 ` Pascal Hambourg
2013-07-12 16:55 ` Nestor A. Diaz [this message]
2013-07-12 6:37 ` Emilio Lazo Zaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51E03506.6020107@tiendalinux.com \
--to=nestor@tiendalinux.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.