From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: Clarification on the use of the statistic module
Date: Fri, 12 Jul 2013 01:15:56 +0200 [thread overview]
Message-ID: <51DF3CAC.7070507@plouf.fr.eu.org> (raw)
In-Reply-To: <51DEFE24.8030601@tiendalinux.com>
Nestor A. Diaz a écrit :
> Hi, thanks for your answer, as i understand the statistic module use a
> static counter that change everytime the packet traverse the chains, i
> though the counter got altered just one time while the packet traverse
> the chains.
Each occurence of the statistic match has its own individual counter.
> According to your suggestion if i remove the line with the "-j ACCEPT"
> then the statistic log as I want and in fact it does.
>
> However if i jump to a 'DNAT' directly, the problem persist as (50/25)
> it doesn't work as i have read from some websites
Of course. Like ACCEPT, DNAT is also a terminal target.
> As solution if I want to jump to DNAT directly then i have to decrease
> the 'every' option as follows which do what i want:
>
> # This works:
> /sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
> 2 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
> DNAT --to-destination 192.168.2.20:7101
> /sbin/iptables -t nat -A prerouting_rule -m statistic --mode nth --every
> 1 --packet 0 -i eth0 -s 0.0.0.0/0 -d 192.168.1.1 -p tcp --dport 7100 -j
> DNAT --to-destination 192.168.2.20:7102
You realize that "--every 1" does not make any sense and it is much
simpler to just remove the statistic match in that rule, don't you ?
> I am experimenting with the behavior and if I jump to custom chain which
> performs other operations like 'log' statistics keep working as
> expected. (50/50) however if i put a 'DNAT' rule things become (50/25),
> it seems DNAT affects the behavior but i don't know why, Any
> explanation for this will be appreciated.
Jumping to a user-defined chain is a good idea if multiple actions are
associated to the same statistic match (e.g. LOG and DNAT). However it
won't change the fact that terminal targets such as ACCEPT, DROP,
REJECT, DNAT... prevent further rules to see the packet, thus change the
actual ratio of further statistic matches.
If the first statistic match takes 1 over N packets, then the next
statistic match will see only the remaining packets, i.e. N-1 over N,
not N. So if you want it to also take 1 over N of all packets, it means
1 over N-1 of the remaining packets. And so on. This is why you had to
decrease the 'every' option. The last rule will take all the remaining
packets without the need for a statistic match
next prev parent reply other threads:[~2013-07-11 23:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-10 15:12 Clarification on the use of the statistic module Nestor A. Diaz
2013-07-11 9:10 ` Pascal Hambourg
2013-07-11 18:49 ` Nestor A. Diaz
2013-07-11 23:15 ` Pascal Hambourg [this message]
2013-07-12 16:55 ` Nestor A. Diaz
2013-07-12 6:37 ` Emilio Lazo Zaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51DF3CAC.7070507@plouf.fr.eu.org \
--to=pascal@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox