Hello, Nestor A. Diaz a écrit : > > /sbin/iptables -t nat -A prerouting_rule -i eth0 -p tcp --dport 7000 -m > state --state NEW -m statistic --mode nth --every 2 --packet 0 -j LOG > --log-prefix 20130710095901_packet_0 > /sbin/iptables -t nat -A prerouting_rule -i eth0 -p tcp --dport 7000 -m > state --state NEW -m statistic --mode nth --every 2 --packet 0 -j ACCEPT > /sbin/iptables -t nat -A prerouting_rule -i eth0 -p tcp --dport 7000 -m > state --state NEW -m statistic --mode nth --every 2 --packet 1 -j LOG > --log-prefix 20130710095901_packet_1 > /sbin/iptables -t nat -A prerouting_rule -i eth0 -p tcp --dport 7000 -m > state --state NEW -m statistic --mode nth --every 2 --packet 1 -j ACCEPT > # default > /sbin/iptables -t nat -A prerouting_rule -i eth0 -p tcp --dport 7000 -m > state --state NEW -j LOG --log-prefix 20130710095901_packet_2 > /sbin/iptables -t nat -A prerouting_rule -i eth0 -p tcp --dport 7000 -m > state --state NEW -j ACCEPT Note : the state match is useless here : by definition packets in the nat table cannot have any other state than NEW. > ./count_packets.sh 20130710093659 > 0: 500 > 1: 250 > 2: 250 Exactly as expected. > When i was expecting the following result: > > 0: 500 > 1: 500 > 2: 0 > > What i am doing wrong ? You ACCEPT the packets matching the first statistic set, so they won't reach the second one. Therefore the second statistic set matches 50% of the remaining packets, i.e. 50% * 50% = 25%. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
