Le jeudi 27 mai 2010 à 00:09 +0200, Jan Engelhardt a écrit : > On Wednesday 2010-05-26 22:27, Eric Dumazet wrote: > >> > > >> > So we create 48 rules using this setup? > >> > >> Since there are two loops to be done, it would be 96 rules in total. > >> > >> > I can see why it'll work on the first 48 packets (one for each > >> >rule), but what happens on the 49th new connection? It'll go on the > >> >first rule again? > >> > >> nth uses modulus, otherwise you can't get the "every Nth" semantic. :-) > >> > >> (It should have been: --mode nth --every N --packet I) > > > >not exactly :) > > > >It should be --mode nth --every N-I --packet I > > > >(first rule consume one packet out of 48, then second rule consume one > >packet out of 47, ... > > The second rule still consumes 48 packets, because CONNMARK is > non-terminating. Thus it's --every N. Ouch, you are right, but this is very expensive then... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
