Problems with statistic module using mode nth

Claudio Cuqui <claudio@xxxxxxxxxxxxxxxx> · Sat, 30 Aug 2008 08:46:23 -0300

Hi there !

I´m facing something weird when using statist module + mode nth. I 
started with a simple rule to balance incoming traffic to 2 differente 
local address:

iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 0 -j DNAT 
--to-destination 10.117.4.53:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 1 -j DNAT 
--to-destination 10.117.4.54:25

After some tests I  got some "connection refused" messages during my 
tests. I checked the server and everything was fine. Then, I decided to 
add an extra (unnecessary ?) rule:

iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -j DNAT --to-destination 10.117.4.54:25

So, the final rule set was:
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 0 -j DNAT 
--to-destination 10.117.4.53:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -m statistic --mode nth  --every 2 --packet 1 -j DNAT 
--to-destination 10.117.4.54:25
iptables -t nat -A PREROUTING  -p tcp -d 10.117.4.6 --dport 25 -m state 
--state NEW -j DNAT --to-destination 10.117.4.54:25

I never expect to see anything hit the 3rd rule. But, after add it, I 
didn´t receive more connection refused messages, and checking the 
counters, I realize that half of packets that should match rule # 2 was 
sent do rule # 3:

Chain PREROUTING (policy ACCEPT 184K packets, 21M bytes)
pkts bytes target     prot opt in     out     source               
destination
   6   360 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW statistic mode nth every 2 
to:10.117.4.53:25
   3   180 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW statistic mode nth every 2 
packet 1 to:10.117.4.54:25
   3   180 DNAT       tcp  --  *      *       0.0.0.0/0            
10.117.4.6          tcp dpt:25 state NEW to:10.117.4.54:25

Am I doing something wrong here ?

TIA,

Claudio Cuqui

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html