inquiry for behavior of xt

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* inquiry for behavior of xt_RATEEST.
@ 2017-11-27 15:56 Taehee Yoo
  0 siblings, 0 replies; only message in thread
From: Taehee Yoo @ 2017-11-27 15:56 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal, edumazet
  Cc: Netfilter Developer Mailing List

Hi,

I found strange result while I test netfilter with RATEEST target and
rateest match.

please look at below test environment and result.

#Network
PC1(192.168.4.2) < ---> FW1(192.168.4.1)
PC2(192.168.5.2) < ---> FW2(192.168.5.1)

FW1 kernel version : before 1c0d32fde5bdf1184bc274f864c09799278a1114
FW2 kernel version : 1c0d32fde5bdf1184bc274f864c09799278a1114

#iptables rules (FW1 and FW2 have same rules)
iptables -t mangle -I PREROUTING -p udp --dport 1111 -j RATEEST
--rateest-name ap1 --rateest-interval 250ms --rateest-ewma 0.5s
iptables -t mangle -I PREROUTING -p udp --dport 1111 -j RATEEST
--rateest-name ap2 --rateest-interval 250ms --rateest-ewma 0.5s

iptables -t mangle -A PREROUTING -p udp --dport 1111 -m rateest
--rateest1 ap1 --rateest-eq --rateest2 ap2 --rateest-bps -j ACCEPT
iptables -t mangle -A PREROUTING -p udp --dport 1111 -m rateest
--rateest1 ap1 --rateest-gt --rateest2 ap2 --rateest-bps -j ACCEPT
iptables -t mangle -A PREROUTING -p udp --dport 1111 -m rateest
--rateest1 ap1 --rateest-lt --rateest2 ap2 --rateest-bps -j ACCEPT

iptables -t mangle -A PREROUTING -p udp --dport 1111 -m rateest
--rateest1 ap1 --rateest-eq --rateest2 ap2 --rateest-pps -j ACCEPT
iptables -t mangle -A PREROUTING -p udp --dport 1111 -m rateest
--rateest1 ap1 --rateest-gt --rateest2 ap2 --rateest-pps -j ACCEPT
iptables -t mangle -A PREROUTING -p udp --dport 1111 -m rateest
--rateest1 ap1 --rateest-lt --rateest2 ap2 --rateest-pps -j ACCEPT

#PC1
hping3 192.168.4.1 --udp -s 1 -p 1111 -k --flood
#PC2
hping3 192.168.5.1 --udp -s 1 -p 1111 -k --flood


#Result
#FW1
root@ubuntu:~# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 392K packets, 573M bytes)
 pkts bytes target     prot opt in     out     source
destination
 644K   18M RATEEST    udp  --  any    any     anywhere
anywhere             udp dpt:1111 name ap2 interval 250.0ms ewmalog
500.0ms
 644K   18M RATEEST    udp  --  any    any     anywhere
anywhere             udp dpt:1111 name ap1 interval 250.0ms ewmalog
500.0ms
 644K   18M ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 bps eq ap2 bps
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 bps gt ap2 bps
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 bps lt ap2 bps
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 pps eq ap2 pps
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 pps gt ap2 pps
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 pps lt ap2 pps

#FW2
root@fw2:/home/ap2# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 5118 packets, 5571K bytes)
 pkts bytes target     prot opt in     out     source
destination
 266K 7447K RATEEST    udp  --  any    any     anywhere
anywhere             udp dpt:1111 name ap2 interval 250.0ms ewmalog
500.0ms
 266K 7447K RATEEST    udp  --  any    any     anywhere
anywhere             udp dpt:1111 name ap1 interval 250.0ms ewmalog
500.0ms
90439 2532K ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 bps eq ap2 bps
86528 2423K ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 bps gt ap2 bps
88978 2491K ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 bps lt ap2 bps
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 pps eq ap2 pps
    2    56 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 pps gt ap2 pps
    0     0 ACCEPT     udp  --  any    any     anywhere
anywhere             udp dpt:1111 rateest match ap1 pps lt ap2 pps


behavior of RATEEST has been changed after
1c0d32fde5bdf1184bc274f864c09799278a1114.
FW1 kernel is bec60e50af83741cde1786ab475d4bf472aed6f9
and FW2 kernel is 1c0d32fde5bdf1184bc274f864c09799278a1114

I think behavior of FW1 is normal.
but FW2 is a little bit strange.
Could you tell me what is actually right behavior?

Thanks!
Taehee

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-11-27 15:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-27 15:56 inquiry for behavior of xt_RATEEST Taehee Yoo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).