diff options
| author | Sebastian Schmidt <yath@yath.de> | 2012-05-27 12:30:56 +0200 |
|---|---|---|
| committer | Sebastian Schmidt <yath@yath.de> | 2012-05-27 12:35:36 +0200 |
| commit | d27bc3deac69ed3d55ac69177caca2578667b80c (patch) | |
| tree | cf78cafc917140b4d5a54e41dcc2bcb903e3765d | |
| parent | c20e9d9c8c3e3279fccefd5dda9877f29b9a7593 (diff) | |
| download | android_external_iptables-ics.tar.gz android_external_iptables-ics.tar.bz2 android_external_iptables-ics.zip | |
Merge upstream v1.4.14ics-releaseicscm-9.1.0
This merges upstream's iptables version 1.4.14.
The merge incorporates the following commits:
commit 9eaa87401ce5ac64cc6baa55775f58f59ca26f34
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat May 26 18:44:33 2012 +0200
Bump version to 1.4.14
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
commit c022454ff5ad39c5e37fa6cd29b85159ad16ed0f
Author: Florian Westphal <fw@strlen.de>
Date: Thu May 17 01:03:09 2012 +0000
tests: add rateest match rules
also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
commit a05910364fa0f2f919dbe0b01bcaba9c3cb127ca
Author: Florian Westphal <fw@strlen.de>
Date: Thu May 17 01:03:08 2012 +0000
extensions: libxt_rateest: output all options in save hook
ipt-restore fails to parse the ipt-save output:
zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5
(should be "--rateest-pps 5 --rateest-lt"). Also, the "delta" option
was never shown in -save output, but twice in some cases when using
"iptables -L".
Also, the "b/pps1" option must be shown when "delta" option is used with
relative mode.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
commit cb999dfdaf25d5a774d2ee84cb99355438d57c93
Author: Florian Westphal <fw@strlen.de>
Date: Thu May 10 05:42:47 2012 +0000
ip(6)tables-restore: make sure argv is NULL terminated
Else, argv[argc] may point to free'd memory.
Some extensions, e.g. rateest, may fail to parse valid input
because argv[optind] (with optind == argc) is not NULL.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
commit 6111382a6c27e73c1cef1777c1253be0453a9dbb
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed May 9 00:28:41 2012 +0200
libipt_ULOG: fix --ulog-cprange
In 1f2474a libipt_ULOG: use guided option parser.
A bug has been accidentally introduced in --ulog-cprange, limiting
possible values from 1 to 50. However, that limit should be applied
to --ulog-qthreshold.
Reported-by: Gaurav Sinha <vgsinha@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
commit 8db1044ba608a78035bbf89007aab6b6d8ff6f68
Author: Miguel GAIO <miguel.gaio@efixo.com>
Date: Thu Apr 19 00:14:33 2012 +0000
libiptc: fix retry path in TC_INIT
There is an issue on TC_INIT retry path:
In error case, TC_FREE is called and close sockfd.
The retry does not reopen then always fail.
The proposing patch reopens sockfd in retry patch.
Signed-off-by: Miguel GAIO <miguel.gaio@efixo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
commit e8f32983048d6aa4a908b6a92da55fa71c859623
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed Feb 29 13:48:36 2012 +0100
libxt_CT: add --timeout option
This patch adds the --timeout option to allow to attach timeout
policy objects to flows, eg.
iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \
-j CT --timeout custom-tcp-policy
You need the nfct(8) tool which is available at:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git
To define the cttimeout policies.
Example of usage:
nfct timeout add custom-tcp-policy inet tcp established 1000
The new nfct tool also requires libnetfilter_cttimeout:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: I9d2d82f957b5778ddf35de7b601e7a072e94b1a1
| -rw-r--r-- | config.h | 6 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | extensions/libipt_ULOG.c | 4 | ||||
| -rw-r--r-- | extensions/libxt_CT.c | 134 | ||||
| -rw-r--r-- | extensions/libxt_CT.man | 5 | ||||
| -rw-r--r-- | extensions/libxt_rateest.c | 55 | ||||
| -rw-r--r-- | include/iptables/internal.h | 2 | ||||
| -rw-r--r-- | include/linux/netfilter/xt_CT.h | 12 | ||||
| -rw-r--r-- | iptables/ip6tables-restore.c | 2 | ||||
| -rw-r--r-- | iptables/iptables-restore.c | 2 | ||||
| -rw-r--r-- | libiptc/libiptc.c | 2 | ||||
| -rw-r--r-- | tests/options-most.rules | 28 |
12 files changed, 195 insertions, 59 deletions
@@ -60,7 +60,7 @@ #define PACKAGE_NAME "iptables" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "iptables 1.4.13" +#define PACKAGE_STRING "iptables 1.4.14" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "iptables" @@ -69,7 +69,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.4.13" +#define PACKAGE_VERSION "1.4.14" /* The size of `struct ip6_hdr', as computed by sizeof. */ #define SIZEOF_STRUCT_IP6_HDR 40 @@ -78,4 +78,4 @@ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "1.4.13" +#define VERSION "1.4.14" diff --git a/configure.ac b/configure.ac index 6678d90..2909a98 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ -AC_INIT([iptables], [1.4.13]) +AC_INIT([iptables], [1.4.14]) # See libtool.info "Libtool's versioning system" libxtables_vcurrent=7 diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c index e08ae05..fafb220 100644 --- a/extensions/libipt_ULOG.c +++ b/extensions/libipt_ULOG.c @@ -37,9 +37,9 @@ static const struct xt_option_entry ULOG_opts[] = { {.name = "ulog-prefix", .id = O_ULOG_PREFIX, .type = XTTYPE_STRING, .flags = XTOPT_PUT, XTOPT_POINTER(struct ipt_ulog_info, prefix), .min = 1}, - {.name = "ulog-cprange", .id = O_ULOG_CPRANGE, .type = XTTYPE_UINT64, + {.name = "ulog-cprange", .id = O_ULOG_CPRANGE, .type = XTTYPE_UINT64}, + {.name = "ulog-qthreshold", .id = O_ULOG_QTHR, .type = XTTYPE_UINT64, .min = 1, .max = ULOG_MAX_QLEN}, - {.name = "ulog-qthreshold", .id = O_ULOG_QTHR, .type = XTTYPE_UINT64}, XTOPT_TABLEEND, }; diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c index 7b93bfa..27a20e2 100644 --- a/extensions/libxt_CT.c +++ b/extensions/libxt_CT.c @@ -16,9 +16,23 @@ static void ct_help(void) ); } +static void ct_help_v1(void) +{ + printf( +"CT target options:\n" +" --notrack Don't track connection\n" +" --helper name Use conntrack helper 'name' for connection\n" +" --timeout name Use timeout policy 'name' for connection\n" +" --ctevents event[,event...] Generate specified conntrack events for connection\n" +" --expevents event[,event...] Generate specified expectation events for connection\n" +" --zone ID Assign/Lookup connection in zone ID\n" + ); +} + enum { O_NOTRACK = 0, O_HELPER, + O_TIMEOUT, O_CTEVENTS, O_EXPEVENTS, O_ZONE, @@ -37,6 +51,21 @@ static const struct xt_option_entry ct_opts[] = { }; #undef s +#define s struct xt_ct_target_info_v1 +static const struct xt_option_entry ct_opts_v1[] = { + {.name = "notrack", .id = O_NOTRACK, .type = XTTYPE_NONE}, + {.name = "helper", .id = O_HELPER, .type = XTTYPE_STRING, + .flags = XTOPT_PUT, XTOPT_POINTER(s, helper)}, + {.name = "timeout", .id = O_TIMEOUT, .type = XTTYPE_STRING, + .flags = XTOPT_PUT, XTOPT_POINTER(s, timeout)}, + {.name = "ctevents", .id = O_CTEVENTS, .type = XTTYPE_STRING}, + {.name = "expevents", .id = O_EXPEVENTS, .type = XTTYPE_STRING}, + {.name = "zone", .id = O_ZONE, .type = XTTYPE_UINT16, + .flags = XTOPT_PUT, XTOPT_POINTER(s, zone)}, + XTOPT_TABLEEND, +}; +#undef s + struct event_tbl { const char *name; unsigned int event; @@ -114,6 +143,28 @@ static void ct_parse(struct xt_option_call *cb) } } +static void ct_parse_v1(struct xt_option_call *cb) +{ + struct xt_ct_target_info_v1 *info = cb->data; + + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_NOTRACK: + info->flags |= XT_CT_NOTRACK; + break; + case O_CTEVENTS: + info->ct_events = ct_parse_events(ct_event_tbl, + ARRAY_SIZE(ct_event_tbl), + cb->arg); + break; + case O_EXPEVENTS: + info->exp_events = ct_parse_events(exp_event_tbl, + ARRAY_SIZE(exp_event_tbl), + cb->arg); + break; + } +} + static void ct_print(const void *ip, const struct xt_entry_target *target, int numeric) { const struct xt_ct_target_info *info = @@ -134,6 +185,29 @@ static void ct_print(const void *ip, const struct xt_entry_target *target, int n printf("zone %u ", info->zone); } +static void +ct_print_v1(const void *ip, const struct xt_entry_target *target, int numeric) +{ + const struct xt_ct_target_info_v1 *info = + (const struct xt_ct_target_info_v1 *)target->data; + + printf(" CT"); + if (info->flags & XT_CT_NOTRACK) + printf(" notrack"); + if (info->helper[0]) + printf(" helper %s", info->helper); + if (info->timeout[0]) + printf(" timeout %s", info->timeout); + if (info->ct_events) + ct_print_events("ctevents", ct_event_tbl, + ARRAY_SIZE(ct_event_tbl), info->ct_events); + if (info->exp_events) + ct_print_events("expevents", exp_event_tbl, + ARRAY_SIZE(exp_event_tbl), info->exp_events); + if (info->zone) + printf("zone %u ", info->zone); +} + static void ct_save(const void *ip, const struct xt_entry_target *target) { const struct xt_ct_target_info *info = @@ -153,20 +227,56 @@ static void ct_save(const void *ip, const struct xt_entry_target *target) printf(" --zone %u", info->zone); } -static struct xtables_target ct_target = { - .family = NFPROTO_UNSPEC, - .name = "CT", - .version = XTABLES_VERSION, - .size = XT_ALIGN(sizeof(struct xt_ct_target_info)), - .userspacesize = offsetof(struct xt_ct_target_info, ct), - .help = ct_help, - .print = ct_print, - .save = ct_save, - .x6_parse = ct_parse, - .x6_options = ct_opts, +static void ct_save_v1(const void *ip, const struct xt_entry_target *target) +{ + const struct xt_ct_target_info_v1 *info = + (const struct xt_ct_target_info_v1 *)target->data; + + if (info->flags & XT_CT_NOTRACK) + printf(" --notrack"); + if (info->helper[0]) + printf(" --helper %s", info->helper); + if (info->timeout[0]) + printf(" --timeout %s", info->timeout); + if (info->ct_events) + ct_print_events("--ctevents", ct_event_tbl, + ARRAY_SIZE(ct_event_tbl), info->ct_events); + if (info->exp_events) + ct_print_events("--expevents", exp_event_tbl, + ARRAY_SIZE(exp_event_tbl), info->exp_events); + if (info->zone) + printf(" --zone %u", info->zone); +} + +static struct xtables_target ct_target_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "CT", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info)), + .userspacesize = offsetof(struct xt_ct_target_info, ct), + .help = ct_help, + .print = ct_print, + .save = ct_save, + .x6_parse = ct_parse, + .x6_options = ct_opts, + }, + { + .family = NFPROTO_UNSPEC, + .name = "CT", + .revision = 1, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), + .help = ct_help_v1, + .print = ct_print_v1, + .save = ct_save_v1, + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, }; void _init(void) { - xtables_register_target(&ct_target); + xtables_register_targets(ct_target_reg, ARRAY_SIZE(ct_target_reg)); } diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man index ff258b7..a93eb14 100644 --- a/extensions/libxt_CT.man +++ b/extensions/libxt_CT.man @@ -23,3 +23,8 @@ Possible event types are: \fBnew\fP. \fB\-\-zone\fP \fIid\fP Assign this packet to zone \fIid\fP and only have lookups done in that zone. By default, packets have zone 0. +.TP +\fB\-\-timeout\fP \fIname\fP +Use the timeout policy identified by \fIname\fP for the connection. This is +provides more flexible timeout policy definition than global timeout values +available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*. diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c index 86bbb06..185a813 100644 --- a/extensions/libxt_rateest.c +++ b/extensions/libxt_rateest.c @@ -348,8 +348,8 @@ rateest_print(const void *ip, const struct xt_entry_match *match, int numeric) if (info->flags & XT_RATEEST_MATCH_DELTA) rateest_print_rate(info->bps1, numeric); if (info->flags & XT_RATEEST_MATCH_ABS) { - rateest_print_mode(info, ""); rateest_print_rate(info->bps2, numeric); + rateest_print_mode(info, ""); } } if (info->flags & XT_RATEEST_MATCH_PPS) { @@ -366,8 +366,6 @@ rateest_print(const void *ip, const struct xt_entry_match *match, int numeric) rateest_print_mode(info, ""); printf(" %s", info->name2); - if (info->flags & XT_RATEEST_MATCH_DELTA) - printf(" delta"); if (info->flags & XT_RATEEST_MATCH_BPS) { printf(" bps"); @@ -382,33 +380,48 @@ rateest_print(const void *ip, const struct xt_entry_match *match, int numeric) } } +static void __rateest_save_rate(const struct xt_rateest_match_info *info, + const char *name, uint32_t r1, uint32_t r2, + int numeric) +{ + if (info->flags & XT_RATEEST_MATCH_DELTA) { + printf(" --rateest-%s1", name); + rateest_print_rate(r1, numeric); + rateest_print_mode(info, "--rateest-"); + printf(" --rateest-%s2", name); + } else { + rateest_print_mode(info, "--rateest-"); + printf(" --rateest-%s", name); + } + + if (info->flags & (XT_RATEEST_MATCH_ABS|XT_RATEEST_MATCH_DELTA)) + rateest_print_rate(r2, numeric); +} + +static void rateest_save_rates(const struct xt_rateest_match_info *info) +{ + if (info->flags & XT_RATEEST_MATCH_BPS) + __rateest_save_rate(info, "bps", info->bps1, info->bps2, 0); + if (info->flags & XT_RATEEST_MATCH_PPS) + __rateest_save_rate(info, "pps", info->pps1, info->pps2, 1); +} + + static void rateest_save(const void *ip, const struct xt_entry_match *match) { const struct xt_rateest_match_info *info = (const void *)match->data; + if (info->flags & XT_RATEEST_MATCH_DELTA) + printf(" --rateest-delta"); + if (info->flags & XT_RATEEST_MATCH_REL) { printf(" --rateest1 %s", info->name1); - if (info->flags & XT_RATEEST_MATCH_BPS) - printf(" --rateest-bps"); - if (info->flags & XT_RATEEST_MATCH_PPS) - printf(" --rateest-pps"); - rateest_print_mode(info, " --rateest-"); + rateest_save_rates(info); printf(" --rateest2 %s", info->name2); - } else { + } else { /* XT_RATEEST_MATCH_ABS */ printf(" --rateest %s", info->name1); - if (info->flags & XT_RATEEST_MATCH_BPS) { - printf(" --rateest-bps1"); - rateest_print_rate(info->bps1, 0); - printf(" --rateest-bps2"); - rateest_print_rate(info->bps2, 0); - rateest_print_mode(info, "--rateest-"); - } - if (info->flags & XT_RATEEST_MATCH_PPS) { - printf(" --rateest-pps"); - rateest_print_mode(info, "--rateest-"); - printf(" %u", info->pps2); - } + rateest_save_rates(info); } } diff --git a/include/iptables/internal.h b/include/iptables/internal.h index 9b71f24..0c2724d 100644 --- a/include/iptables/internal.h +++ b/include/iptables/internal.h @@ -1,7 +1,7 @@ #ifndef IPTABLES_INTERNAL_H #define IPTABLES_INTERNAL_H 1 -#define IPTABLES_VERSION "1.4.13" +#define IPTABLES_VERSION "1.4.14" /** * Program's own name and version. diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h index b56e768..a064b8a 100644 --- a/include/linux/netfilter/xt_CT.h +++ b/include/linux/netfilter/xt_CT.h @@ -16,4 +16,16 @@ struct xt_ct_target_info { struct nf_conn *ct __attribute__((aligned(8))); }; +struct xt_ct_target_info_v1 { + __u16 flags; + __u16 zone; + __u32 ct_events; + __u32 exp_events; + char helper[16]; + char timeout[32]; + + /* Used internally by the kernel */ + struct nf_conn *ct __attribute__((aligned(8))); +}; + #endif /* _XT_CT_H */ diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c index 92bdc30..3894d68 100644 --- a/iptables/ip6tables-restore.c +++ b/iptables/ip6tables-restore.c @@ -98,7 +98,7 @@ static int add_argv(char *what) { DEBUGP("add_argv: %s\n", what); if (what && newargc + 1 < ARRAY_SIZE(newargv)) { newargv[newargc] = strdup(what); - newargc++; + newargv[++newargc] = NULL; return 1; } else { xtables_error(PARAMETER_PROBLEM, diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index 6b1c792..034f960 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -97,7 +97,7 @@ static int add_argv(char *what) { DEBUGP("add_argv: %s\n", what); if (what && newargc + 1 < ARRAY_SIZE(newargv)) { newargv[newargc] = strdup(what); - newargc++; + newargv[++newargc] = NULL; return 1; } else { xtables_error(PARAMETER_PROBLEM, diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 63965e7..f0f7815 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -1307,6 +1307,7 @@ TC_INIT(const char *tablename) socklen_t s; int sockfd; +retry: iptc_fn = TC_INIT; if (strlen(tablename) >= TABLE_MAXNAMELEN) { @@ -1324,7 +1325,6 @@ TC_INIT(const char *tablename) abort(); } -retry: s = sizeof(info); strcpy(info.name, tablename); diff --git a/tests/options-most.rules b/tests/options-most.rules index 7573361..30dac16 100644 --- a/tests/options-most.rules +++ b/tests/options-most.rules @@ -54,8 +54,7 @@ -A INPUT -p tcp -m tcpmss --mss 1:2 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -A INPUT --A INPUT -p mobility --A INPUT -p mobility -m mh --mh-type 3 +-A INPUT -p ipv6-mh -m mh --mh-type 3 -A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3 -A OUTPUT -m owner ! --socket-exists ! --uid-owner 0 ! --gid-owner 0 -A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both @@ -184,20 +183,17 @@ -A ntarg -A ntarg -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms -A ntarg -#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit -#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-bps 8bit -#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 8bit -#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-pps 5 -#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5 -#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-pps 5 -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit -#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --bytes -#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --packets -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9 -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9 -#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9 +-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit +-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5 +-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 5kbit +-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit +-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest-bps --rateest2 RE2 +-A zmatches -m rateest --rateest-delta --rateest1 RE1 --rateest-lt --rateest2 RE2 --rateest-pps2 42 +-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit +-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit +-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9 +-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9 +-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9 COMMIT *mangle :PREROUTING ACCEPT [0:0] |