Statistic module

Statistic module

[Barry A Rich]

I'm working with an embedded system with the 2.6.19.2 kernel. I'd prefer not
to upgrade the kernel at this time, but need features of the latest versions
of iproute and iptables. I built iptables-1.4.1.1 and iproute2-2.6.26 for
this kernel. Everything seems to work except the following:

iptables -t mangle -A PREROUTING -p udp --sport 6970 -m statistic --mode nth
--every 2 --packet 0 -j MARK --set-mark 1

It produces:

iptables: No chain/target/match by that name

I think it is not finding the statistic module.

What am I doing wrong.

Re: Statistic module

[Pascal Hambourg]

Hello,

Barry A Rich a écrit :
> I'm working with an embedded system with the 2.6.19.2 kernel. I'd prefer not
> to upgrade the kernel at this time, but need features of the latest versions
> of iproute and iptables.

Usually the new features are actually in the kernel. Iptables and 
iproute are just upgraded to be able to use them.

> I built iptables-1.4.1.1 and iproute2-2.6.26 for
> this kernel. Everything seems to work except the following:
> 
> iptables -t mangle -A PREROUTING -p udp --sport 6970 -m statistic --mode nth
> --every 2 --packet 0 -j MARK --set-mark 1
> 
> It produces:
> 
> iptables: No chain/target/match by that name
> 
> I think it is not finding the statistic module.

The 'statistic' match was added in version 2.6.18 of the kernel. Maybe 
you didn't enable the related option (NETFILTER_XT_MATCH_STATISTIC) when 
configuring and building your kernel. Check your config file.

Re: statistic module

[John Lister]

with the old nth module you could specify a counter to use allowing you 
to  have multiple overlapping counts.

Is this possible with the new statistic module? If not is there a way 
round it?

Thanks

-- 
Got needs? Get Goblin'! - http://www.pricegoblin.co.uk/

Statistic module nth problem

[John Lister]

I've played with the nth function of the statistic module and i can't 
seem to get it to work, This mirrors a previous post where it matches 
each entry once and then doesn't match any more...

looking at the source code makes me surprised it does this unless i've 
misunderstood completely...


from /net/netfilter/xt_statistic.c

static bool
statistic_mt(const struct sk_buff *skb, const struct net_device *in,
  const struct net_device *out, const struct xt_match *match,
  const void *matchinfo, int offset, unsigned int protoff,
  bool *hotdrop)
{
  struct xt_statistic_info *info = (struct xt_statistic_info *)matchinfo;
  bool ret = info->flags & XT_STATISTIC_INVERT;

  switch (info->mode) {
    case XT_STATISTIC_MODE_RANDOM:
    if ((net_random() & 0x7FFFFFFF) < info->u.random.probability)
      ret = !ret;
      break;
    case XT_STATISTIC_MODE_NTH:
      info = info->master;
      spin_lock_bh(&nth_lock);
      if (info->u.nth.count++ == info->u.nth.every) {
        info->u.nth.count = 0;
        ret = !ret;
      }
      spin_unlock_bh(&nth_lock);
      break;
    }

  return ret;
}


The second case should look like this - or have i missed something?
    case XT_STATISTIC_MODE_NTH:
      info = info->master;
      spin_lock_bh(&nth_lock);
      if (info->u.nth.count == info->u.nth.packet) {
        ret=!ret;
      }
      if (info->u.nth.count++ == info->u.nth.every) {
        info->u.nth.count = 0;
      }
      spin_unlock_bh(&nth_lock);
      break;


I'll submit a patch if anyone agrees and i'll also add stuff to handle 
multiple counts - why was this removed????

Thanks