extensions: add xt_statistics random mode translation

Use meta random and bitops to replicate what xt_statistics
is doing.

Signed-off-by: Florian Westphal <fw@strlen.de>

2 files changed, 8 insertions, 2 deletions

diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
index 4f3341a3..37915adc 100644
--- a/extensions/libxt_statistic.c
+++ b/extensions/libxt_statistic.c
@@ -141,13 +141,19 @@ static int statistic_xlate(struct xt_xlate *xl,
 
 	switch (info->mode) {
 	case XT_STATISTIC_MODE_RANDOM:
-		return 0;
+		xt_xlate_add(xl, "meta random & %u %s %u",
+			     INT_MAX,
+			     info->flags & XT_STATISTIC_INVERT ? ">=" : "<",
+			     info->u.random.probability);
+		break;
 	case XT_STATISTIC_MODE_NTH:
 		xt_xlate_add(xl, "numgen inc mod %u %s%u",
 			     info->u.nth.every + 1,
 			     info->flags & XT_STATISTIC_INVERT ? "!= " : "",
 			     info->u.nth.packet);
 		break;
+	default:
+		return 0;
 	}
 
 	return 1;
diff --git a/extensions/libxt_statistic.txlate b/extensions/libxt_statistic.txlate
index 3196ff20..627120c5 100644
--- a/extensions/libxt_statistic.txlate
+++ b/extensions/libxt_statistic.txlate
@@ -5,4 +5,4 @@ iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 --packet 5
 nft 'add rule ip filter OUTPUT numgen inc mod 10 != 5 counter'
 
 iptables-translate -A OUTPUT -m statistic --mode random --probability 0.1
-nft # -A OUTPUT -m statistic --mode random --probability 0.1
+nft 'add rule ip filter OUTPUT meta random & 2147483647 < 214748365 counter'