Jan Engelhardt <jengelh@xxxxxxx> wrote: > On Wednesday 2016-03-02 13:10, Florian Westphal wrote: > >> case XT_STATISTIC_MODE_RANDOM: > >> if ((prandom_u32() & 0x7FFFFFFF) < info->u.random.probability) > >> > >> --probability seems to check for "less than" the random value. > > > >Yes. [...] > >Other suggestions? > > "--probability" is meant to represent saying "with a probability > of p=10%, ...". This does not mandate any particular operator. Right, that was my reasoning for making meta random 0.1 behave like 'match with a probabiliy of 10%'. > Furthermore, it surprises me that iptables even supports > ! --probability, because you can just express it as 1-p > instead. Yes. So my suggestion is this: for nft v2 of meta random support: - keep the 'implicit LE op' behaviour so that meta random 0.1 means '10% probability of matching'. - change display to hide the LE detail from the user, i.e. don't show 'meta random le 0.1' but 'meta random 0.1'. [ I agree with Jan, its detail, users can still see this with debug output on ]. Don't change anything else, i.e. meta random == 0.1 will match with a probability of 1 in 0xfffffff on average. It does what you asked it to do ;) For the translation patch, if ! is given, translate it to the inverse as per Jans instruction, e.g. --probability ! 0.1 is translated to meta random 0.9 If there are no further comments, I will send a v2 for nft meta random side soon. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
