Le mercredi 26 mai 2010 à 22:18 +0200, Jan Engelhardt a écrit : > On Wednesday 2010-05-26 21:01, Felipe W Damasio wrote: > > > >2010/5/26 Jan Engelhardt <jengelh@xxxxxxxxxx>: > >> -A PREROUTING -m conntrack --ctstate NEW -j extrachain > >> for (I = 0; I < N; ++I) > >> -A extrachain -m statistic --mode nth --every I \ > >> -j CONNMARK --set-mark I > >> for (I = 0; I < N; ++I) > >> -A PREROUTING -m connmark --mark I -j TPROXY \ > >> --tproxy-mark I/0xff --on-port I+3127 > > > > You mean do this using: > > > >N=48 (or whatever number of http_port we're using) > > > > So we create 48 rules using this setup? > > Since there are two loops to be done, it would be 96 rules in total. > > > I can see why it'll work on the first 48 packets (one for each > >rule), but what happens on the 49th new connection? It'll go on the > >first rule again? > > Oh that reminds me of - "The Bible says we're supposed to work six days > and rest on the seventh. But where is it written that we should start > working again on the eighth?" > > nth uses modulus, otherwise you can't get the "every Nth" semantic. :-) > > (It should have been: --mode nth --every N --packet I) not exactly :) It should be --mode nth --every N-I --packet I (first rule consume one packet out of 48, then second rule consume one packet out of 47, ... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
