Re: ipt_random status

Re: ipt_random status

[Stefano Sabatini]

On date Monday 2007-11-05 17:10:05 +0100, Pascal Hambourg wrote:
> Hello,
>
> Stefano Sabatini a écrit :
>> I'm interested in a random filtering rule for iptables: I read about
>> the ipt_randon extension, so I downloaded the patch-o-matic SVN but I
>> checked that it has been removed from the trunk since revision 6568.
>
> The random function has been moved to the 'statistic' match, available 
> since kernel 2.6.18 and iptables 1.3.6.
[...]

Thanks you so much, well I see:
iptables -m statistic --help

Shouldn't it be mentioned in the iptables man page?

http://ovid.rdsct.ro/log/modules/index

Best regards.
-- 
Stefano Sabatini
Linux user number 337176 (see http://counter.li.org)

ipt_random status

[Stefano Sabatini]

Hi all,

this is my first post here, so first of all many thanks for your great
work on netfilter.

I'm interested in a random filtering rule for iptables: I read about
the ipt_randon extension, so I downloaded the patch-o-matic SVN but I
checked that it has been removed from the trunk since revision 6568.

So my question: is there a chance to see it supported again or do I
have to try to manually patch the kernel with the latest SVN included
version, and in this case how many are the chances to get it working?

I would like to help, but I'm far from being a linux hacker...

Finally, can you suggest some equivalent way to get the same effect
with *BSD?

Thank you so much for your help.

Best regards.
-- 
Stefano Sabatini
Linux user number 337176 (see http://counter.li.org)

Re: ipt_random status

[Pascal Hambourg]

Hello,

Stefano Sabatini a écrit :
> 
> I'm interested in a random filtering rule for iptables: I read about
> the ipt_randon extension, so I downloaded the patch-o-matic SVN but I
> checked that it has been removed from the trunk since revision 6568.

The random function has been moved to the 'statistic' match, available 
since kernel 2.6.18 and iptables 1.3.6.

Re: ipt_random status

[Pascal Hambourg]

Stefano Sabatini a écrit :
> 
> iptables -m statistic --help
> 
> Shouldn't it be mentioned in the iptables man page?

Yes, it should. Patches are welcome.

> http://ovid.rdsct.ro/log/modules/index

I can understand the author. Changes in Netfilter/iptables may be 
difficult to track, so I wrote for myself a sort of changelog.

Re: ipt_random status

[Stefano Sabatini]

[-- Attachment #1: Type: text/plain, Size: 561 bytes --]

On date Tuesday 2007-11-06 16:25:48 +0100, Pascal Hambourg wrote:
> Stefano Sabatini a écrit :
>> iptables -m statistic --help
>> Shouldn't it be mentioned in the iptables man page?
>
> Yes, it should. Patches are welcome.

Here it is.
Can someone forward it to the devels?

>> http://ovid.rdsct.ro/log/modules/index
>
> I can understand the author. Changes in Netfilter/iptables may be difficult 
> to track, so I wrote for myself a sort of changelog.

Best regards.
-- 
Stefano Sabatini
Linux user number 337176 (see http://counter.li.org)

[-- Attachment #2: document-xtstatistic.patch --]
[-- Type: text/x-diff, Size: 883 bytes --]

Index: extensions/libxt_statistic.man
===================================================================
--- extensions/libxt_statistic.man	(revision 0)
+++ extensions/libxt_statistic.man	(revision 0)
@@ -0,0 +1,30 @@
+This module matches packets based on some statistic condition.
+It supports two distinct modes settable with the 
+.B --mode
+option.
+.TP
+Supported options:
+.TP
+.BI "--mode " "mode"
+Set the matching mode of the matching rule, supported modes are
+.B random
+or
+.B nth. 
+.TP
+.BI "--probability " "p"
+Set the probability from 0 to 1 for a packet to be randomly
+matched. It works only with the
+.B random
+mode.
+.TP
+.BI "--every " "n"
+Match one packet every nth packet. It works only with the
+.B nth
+mode (see also the 
+.B --packet
+option).
+.TP
+.BI "--packet " "p"
+Set the initial counter value (0 <= p <= n-1, default 0) for the
+.B nth 
+mode.

Re: ipt_random status

[Pascal Hambourg]

Stefano Sabatini a écrit :
> On date Tuesday 2007-11-06 16:25:48 +0100, Pascal Hambourg wrote:
>>
>>Patches are welcome.
> 
> Here it is.
> Can someone forward it to the devels?

Sorry, I forgot to mention that patches must be submitted to the 
netfilter-devel list.

Re: ipt_random status

[Stefano Sabatini]

On date Sunday 2007-11-11 11:57:37 +0100, Pascal Hambourg wrote:
> Stefano Sabatini a écrit :
>> On date Tuesday 2007-11-06 16:25:48 +0100, Pascal Hambourg wrote:
>>>
>>> Patches are welcome.
>> Here it is.
>> Can someone forward it to the devels?
>
> Sorry, I forgot to mention that patches must be submitted to the 
> netfilter-devel list.

Ugh, I was trying to avoid that...

Regards.
-- 
Stefano Sabatini
Linux user number 337176 (see http://counter.li.org)

Re: ipt_random status

[Stefano Sabatini]

On date Sunday 2007-11-11 12:32:05 +0100, Stefano Sabatini wrote:
> On date Sunday 2007-11-11 11:57:37 +0100, Pascal Hambourg wrote:
> > Stefano Sabatini a écrit :
> >> On date Tuesday 2007-11-06 16:25:48 +0100, Pascal Hambourg wrote:
> >>>
> >>> Patches are welcome.
> >> Here it is.
> >> Can someone forward it to the devels?
> >
> > Sorry, I forgot to mention that patches must be submitted to the 
> > netfilter-devel list.
> 
> Ugh, I was trying to avoid that...

It got applied today :-).

Best regards.
-- 
Stefano Sabatini
Linux user number 337176 (see http://counter.li.org)