2016-12-11 14:00 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0004216CentOS-5iptablespublic2010-02-26 19:55
Reporterjsosic 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
Product Version5.4 
Target VersionFixed in Version 
Summary0004216: iptables missing module - libipt_statistic.so not found?
Description# iptables -A INPUT -s 192.168.0.0/16 -i eth0 -m statistic --mode random --probability 0.04 -j DROP
iptables v1.3.5: Couldn't load match `statistic':/lib64/iptables/libipt_statistic.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

# rpm -ql iptables | grep statistic

So, obviously, iptables is not build with libipt_statistic.so. This is reproducable on both x86_64 and i386 machines.
Additional InformationI have written patches, and explanations, and succesfully built fixed packages.

More info is available here:
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=25047&start=0#forumpost100483

Patch is in the attachment.
TagsNo tags attached.
Attached Files
  • patch file icon iptables-1.3.5-statistic.patch (5,192 bytes) 2010-02-26 19:55 -
    --- iptables-1.3.5/extensions/libipt_statistic.c	1970-01-01 01:00:00.000000000 +0100
    +++ iptables-1.3.5/extensions/libipt_statistic.c	2006-09-28 18:40:31.000000000 +0200
    @@ -0,0 +1,175 @@
    +#include <stdio.h>
    +#include <netdb.h>
    +#include <string.h>
    +#include <stdlib.h>
    +#include <stddef.h>
    +#include <getopt.h>
    +
    +#include <iptables.h>
    +#include <linux/netfilter/xt_statistic.h>
    +
    +static void
    +help(void)
    +{
    +	printf(
    +"statistic match v%s options:\n"
    +" --mode mode                    Match mode (random, nth)\n"
    +" random mode:\n"
    +" --probability p		 Probability\n"
    +" nth mode:\n"
    +" --every n			 Match every nth packet\n"
    +" --packet p			 Initial counter value (0 <= p <= n-1, default 0)\n"
    +"\n",
    +IPTABLES_VERSION);
    +}
    +
    +static struct option opts[] = {
    +	{ "mode", 1, 0, '1' },
    +	{ "probability", 1, 0, '2' },
    +	{ "every", 1, 0, '3' },
    +	{ "packet", 1, 0, '4' },
    +	{ 0 }
    +};
    +
    +static struct xt_statistic_info *info;
    +
    +static int
    +parse(int c, char **argv, int invert, unsigned int *flags,
    +      const struct ipt_entry *entry,
    +      unsigned int *nfcache,
    +      struct ipt_entry_match **match)
    +{
    +	double prob;
    +
    +	info = (void *)(*match)->data;
    +
    +	if (invert)
    +		info->flags |= XT_STATISTIC_INVERT;
    +
    +	switch (c) {
    +	case '1':
    +		if (*flags & 0x1)
    +			exit_error(PARAMETER_PROBLEM, "double --mode");
    +		if (!strcmp(optarg, "random"))
    +			info->mode = XT_STATISTIC_MODE_RANDOM;
    +		else if (!strcmp(optarg, "nth"))
    +			info->mode = XT_STATISTIC_MODE_NTH;
    +		else
    +			exit_error(PARAMETER_PROBLEM, "Bad mode `%s'", optarg);
    +		*flags |= 0x1;
    +		break;
    +	case '2':
    +		if (*flags & 0x2)
    +			exit_error(PARAMETER_PROBLEM, "double --probability");
    +		prob = atof(optarg);
    +		if (prob < 0 || prob > 1)
    +			exit_error(PARAMETER_PROBLEM,
    +				   "--probability must be between 0 and 1");
    +		info->u.random.probability = 0x80000000 * prob;
    +		*flags |= 0x2;
    +		break;
    +	case '3':
    +		if (*flags & 0x4)
    +			exit_error(PARAMETER_PROBLEM, "double --every");
    +		if (string_to_number(optarg, 0, 0xFFFFFFFF,
    +				     &info->u.nth.every) == -1)
    +			exit_error(PARAMETER_PROBLEM,
    +				   "cannot parse --every `%s'", optarg);
    +		if (info->u.nth.every == 0)
    +			exit_error(PARAMETER_PROBLEM, "--every cannot be 0");
    +		info->u.nth.every--;
    +		*flags |= 0x4;
    +		break;
    +	case '4':
    +		if (*flags & 0x8)
    +			exit_error(PARAMETER_PROBLEM, "double --packet");
    +		if (string_to_number(optarg, 0, 0xFFFFFFFF,
    +				     &info->u.nth.packet) == -1)
    +			exit_error(PARAMETER_PROBLEM,
    +				   "cannot parse --packet `%s'", optarg);
    +		*flags |= 0x8;
    +		break;
    +	default:
    +		return 0;
    +	}
    +	return 1;
    +}
    +
    +/* Final check; must have specified --mark. */
    +static void
    +final_check(unsigned int flags)
    +{
    +	if (!(flags & 0x1))
    +		exit_error(PARAMETER_PROBLEM, "no mode specified");
    +	if ((flags & 0x2) && (flags & (0x4 | 0x8)))
    +		exit_error(PARAMETER_PROBLEM,
    +			   "both nth and random parameters given");
    +	if (flags & 0x2 && info->mode != XT_STATISTIC_MODE_RANDOM)
    +		exit_error(PARAMETER_PROBLEM,
    +			   "--probability can only be used in random mode");
    +	if (flags & 0x4 && info->mode != XT_STATISTIC_MODE_NTH)
    +		exit_error(PARAMETER_PROBLEM,
    +			   "--every can only be used in nth mode");
    +	if (flags & 0x8 && info->mode != XT_STATISTIC_MODE_NTH)
    +		exit_error(PARAMETER_PROBLEM,
    +			   "--packet can only be used in nth mode");
    +	info->u.nth.count = info->u.nth.every - info->u.nth.packet;
    +}
    +
    +/* Prints out the matchinfo. */
    +static void print_match(const struct xt_statistic_info *info, char *prefix)
    +{
    +	if (info->flags & XT_STATISTIC_INVERT)
    +		printf("! ");
    +
    +	switch (info->mode) {
    +	case XT_STATISTIC_MODE_RANDOM:
    +		printf("%smode random %sprobability %f ", prefix, prefix,
    +		       1.0 * info->u.random.probability / 0x80000000);
    +		break;
    +	case XT_STATISTIC_MODE_NTH:
    +		printf("%smode nth %severy %u ", prefix, prefix,
    +		       info->u.nth.every + 1);
    +		if (info->u.nth.packet)
    +			printf("%spacket %u ", prefix, info->u.nth.packet);
    +		break;
    +	}
    +}
    +
    +static void
    +print(const struct ipt_ip *ip,
    +      const struct ipt_entry_match *match,
    +      int numeric)
    +{
    +	struct xt_statistic_info *info = (struct xt_statistic_info *)match->data;
    +
    +	printf("statistic ");
    +	print_match(info, "");
    +}
    +
    +/* Saves the union ipt_matchinfo in parsable form to stdout. */
    +static void
    +save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
    +{
    +	struct xt_statistic_info *info = (struct xt_statistic_info *)match->data;
    +
    +	print_match(info, "--");
    +}
    +
    +static struct iptables_match statistic = { 
    +	.name		= "statistic",
    +	.version	= IPTABLES_VERSION,
    +	.size		= IPT_ALIGN(sizeof(struct xt_statistic_info)),
    +	.userspacesize	= offsetof(struct xt_statistic_info, u.nth.count),
    +	.help		= help,
    +	.parse		= parse,
    +	.final_check	= final_check,
    +	.print		= print,
    +	.save		= save,
    +	.extra_opts	= opts
    +};
    +
    +void _init(void)
    +{
    +	register_match(&statistic);
    +}
    --- iptables-1.3.5/extensions/.statistic-test	1970-01-01 01:00:00.000000000 +0100
    +++ iptables-1.3.5/extensions/.statistic-test	2006-09-28 18:40:32.000000000 +0200
    @@ -0,0 +1,2 @@
    +#!/bin/sh
    +[ -f $KERNEL_DIR/net/netfilter/xt_statistic.c -a -f $KERNEL_DIR/include/linux/netfilter/xt_statistic.h ] && echo statistic
    
    patch file icon iptables-1.3.5-statistic.patch (5,192 bytes) 2010-02-26 19:55 +

-Relationships
+Relationships

-Notes
There are no notes attached to this issue.
+Notes

-Issue History
Date Modified Username Field Change
2010-02-26 19:55 jsosic New Issue
2010-02-26 19:55 jsosic File Added: iptables-1.3.5-statistic.patch
+Issue History