| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Use meta random and bitops to replicate what xt_statistics
is doing.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
--packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
# iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
--packet 5
nft add rule ip filter OUTPUT numgen inc mod 10 != 5 counter
Note, mode random is not completely supported in nft, so:
# iptables-translate -A OUTPUT -m statistic --mode random \
--probability 0.1
nft # -A OUTPUT -m statistic --mode random --probability 0.1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Add copyright statements to all extensions authored by myself.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
Suppressing '--packet 0' in save output resulted in restore failure.
This patch includes '--packet 0' in save output while continuing to
suppress it in print output.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, libxt_statistic only dumps the probability with a
granularity of 1/1000000. Assuming only stuffed packets with 1440
bytes payload, this would match approximately every 1.341 GB, which is
pretty low for a high-volume router. Trying to match any larger
interval than that (e.g. 2 GB) will cause libxt_statistic to output
"--probability 0.000000", and when restored, will cause it to never
match again.
Bump the dump precision to what xt_statistic can really do, and adjust
the manpage to include a word about it.
Furthermore, employ explicit rounding when reading the argument from
the command line, because the previous implicit conversion would use
truncation, which is not very exact.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
Match and target parse functions now only get option characters they
have defined themselves.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Try to inhibit copypasting old stuff.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
This constant would be the designated one for the .family field; it
also, given recent changes, makes grep for NFPROTO_UNSPEC work to
finally recollect all manpages.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
This commit also throws out the redundant string_to_number_*.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
Use the handy constants for ranges.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
A number of comments are redundant, some outdated and others outright
wrong in their own way. Remove and fixup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| | |
|
| |
|
|
|
| |
Note: xt_sctp.h is still not merged upstream in the kernel as of
this commit. But a refactoring was really needed.
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt matches unique names (1/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| | |
|
| | |
|
| |
|
