Problems with statistic module using mode nth

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Claudio Cuqui <claudio@c3systems.com.br>
To: netfilter@vger.kernel.org
Subject: Problems with statistic module using mode nth
Date: Sat, 30 Aug 2008 08:46:23 -0300	[thread overview]
Message-ID: <48B9330F.3040209@c3systems.com.br> (raw)

Hi there !

I´m facing something weird when using statist module + mode nth. I 
started with a simple rule to balance incoming traffic to 2 differente 
local address:

iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 0 -j DNAT 
--to-destination 10.117.4.53:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 1 -j DNAT 
--to-destination 10.117.4.54:25

After some tests I  got some "connection refused" messages during my 
tests. I checked the server and everything was fine. Then, I decided to 
add an extra (unnecessary ?) rule:

iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -j DNAT --to-destination 10.117.4.54:25

So, the final rule set was:
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 0 -j DNAT 
--to-destination 10.117.4.53:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 1 -j DNAT 
--to-destination 10.117.4.54:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -j DNAT --to-destination 10.117.4.54:25

I never expect to see anything hit the 3rd rule. But, after add it, I 
didn´t receive more connection refused messages, and checking the 
counters, I realize that half of packets that should match rule # 2 was 
sent do rule # 3:

Chain PREROUTING (policy ACCEPT 184K packets, 21M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    6   360 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW statistic mode nth every 2 
to:10.117.4.53:25
    3   180 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW statistic mode nth every 2 
packet 1 to:10.117.4.54:25
    3   180 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW to:10.117.4.54:25

Am I doing something wrong here ?

TIA,

Claudio Cuqui

                 reply	other threads:[~2008-08-30 11:46 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48B9330F.3040209@c3systems.com.br \
    --to=claudio@c3systems.com.br \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox