Fwd: iptables random support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

(Sorry if you get this twice; I forgot to cc: the list before)
On 7/30/06, Daniel Williams <danielw@xxxxxxxxxxxxxxxxxx> wrote:


Hi,

I have been trying to get iptables -m random support working to very
little success.

Does anyone have a modern 2.6 kernel with iptables -m random working ?

I tried using the random and nth patches from patch-o-matic-ng-20050918,
with 2.6.17.7 and iptables 1.2.11 and 1.3.5.

The modules are loaded:
root@server2:/usr/src# lsmod | grep ipt
iptable_nat             8196  0
ip_nat                 17580  1 iptable_nat
iptable_filter          3968  0
ipt_random              3200  0
ipt_nth                 3584  0
iptable_mangle          3968  0
ip_tables              14580  3
iptable_nat,iptable_filter,iptable_mangle
x_tables               14724  5
xt_tcpudp,iptable_nat,ipt_random,ipt_nth,ip_tables


When I type a command that uses random or nth I get:
# iptables -A INPUT -m random --average 1 -j ACCEPT
iptables: Invalid argument
# iptables -A INPUT -m nth --every 2 -j ACCEPT
iptables: Invalid argument
with iptables 1.2.11 and with iptables 1.3.5:
# iptables -A INPUT -m nth --every 2 -j ACCEPT
iptables: Unknown error 4294967295
# iptables -A INPUT -m random -j ACCEPT
iptables: Unknown error 4294967295


I realize the 'unknown error' is a known, unrelated bug.

I have some complicated routing requirements that I plan to use random
in combination with mark/fwmark routing.

I am also interested if anyone has this setup and can tell me the
performance of there setup.

Daniel



Patching the source code for -m random is very simple if you know C:
just change the function definitions of match and checkentry to the
ones below, and add ".matchsize = sizeof(ipt_rand_info)" to the struct
ipt_match definition. The same can be done to ipt_nth.

These two modules are unified in the 2.6.18 mainline as xt_statistic.

- Daniel De Graaf

static int match(const struct sk_buff *skb,
            const struct net_device *in,
            const struct net_device *out,
            const struct xt_match *match,
            const void *matchinfo,
            int offset,
            unsigned int protoff,
            int *hotdrop)

static int checkentry(const char *tablename,
             const void *ip,
             const struct xt_match *match,
             void *matchinfo,
             unsigned int matchinfosize,
             unsigned int hook_mask)
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux