Re: Help: Cycle through iptables rules

Felipe W Damasio <felipewd@xxxxxxxxx> · Thu, 27 May 2010 17:29:29 -0300

Hi Mr. Engelhardt,

I created a script using the instructions you gave me.

The result was:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
extrachain  all  --  0.0.0.0/0            0.0.0.0/0           ctstate NEW
TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:80 connmark match 0x0 TPROXY redirect 0.0.0.0:3127 mark 0x1/0x1
TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:80 connmark match 0x1 TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1
TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:80 connmark match 0x2 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1

Chain extrachain (1 references)
target     prot opt source               destination
CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
mode nth every 3 CONNMARK and 0x0
CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
mode nth every 3 packet 1 CONNMARK xset 0x1/0xffffffff
CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
mode nth every 3 packet 2 CONNMARK xset 0x2/0xffffffff

 This is for N=3 instances of squid.

 The TPROXY rules make sense to me (forwarding to a port based on the
mark that was done in the extrachain). I just don't get the extrachain
rules regarding that "--every 3" bit yet. :-)

 Are they right, though?

 I'm really trying to understand those statistic mode nth options :)

 Thanks.

 Cheers,

Felipe Damasio

2010/5/26 Jan Engelhardt <jengelh@xxxxxxxxxx>:
> On Wednesday 2010-05-26 22:27, Eric Dumazet wrote:
>>> >
>>> >  So we create 48 rules using this setup?
>>>
>>> Since there are two loops to be done, it would be 96 rules in total.
>>>
>>> >  I can see why it'll work on the first 48 packets (one for each
>>> >rule), but what happens on the 49th new connection? It'll go on the
>>> >first rule again?
>>>
>>> nth uses modulus, otherwise you can't get the "every Nth" semantic. :-)
>>>
>>> (It should have been: --mode nth --every N --packet I)
>>
>>not exactly :)
>>
>>It should be --mode nth --every N-I --packet I
>>
>>(first rule consume one packet out of 48, then second rule consume one
>>packet out of 47, ...
>
> The second rule still consumes 48 packets, because CONNMARK is
> non-terminating. Thus it's --every N.
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html