From: Wang Jian <lark@linux.net.cn>
To: Patrick Schaaf <bof@bof.de>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: About matching
Date: Thu, 07 Apr 2005 15:01:56 +0800 [thread overview]
Message-ID: <20050407145507.02C5.LARK@linux.net.cn> (raw)
In-Reply-To: <20050407063547.GD20287@oknodo.bof.de>
Hi Patrick Schaaf,
On Thu, 7 Apr 2005 08:35:48 +0200, Patrick Schaaf <bof@bof.de> wrote:
> > Yes. So I think --previous is a strong indication that
> > you-know-what-you-are-doing. With this option, kernel is instructed that
> > this optimization is needed, and is ok even if there are conflicts.
>
> I agree. Following implementation thougts and questions arise:
>
> It would be a bit more typing work, but '-m previous' would be
> more easy to implement, I think: just write it as a new match.
> The match function will need access to a 'didmatch' boolean variable.
> The variable value would be determined by the result of the immediately
> previous match, surely available to the main table walking code.
>
> Should this variable be set to 0 when entering each new chain? I think yes.
>
Here, first we should decide how -m previous is implemented.
1. A real match;
2. A pseudo match, which copy previous rule's match and mark itself a
dup of previous match;
I prefer the later. The insertion and deletion logic will be very small
and clean. When you delete the previous, this match still makes sense,
and you just clear the 'dup' mark.
> Then there is the question of how the previous match code would access
> the variable. Without changing the call signature of match functions,
> it needs to be somewhat global. Hmm: can there be several ruleset
> walks active at the same time and on the same processor? If not,
> this could be a CPU-private variable.
>
> Last question: in the main match loop, some matching is handled by
> the loop itself (input/output device, source/destination IP address).
> Now, when a rule uses -m previous, should this rule's device and
> IP address fields be checked, anyway, or should this check also
> be ommitted? I think it could also be ommitted.
>
These two questions depends on the decision made above.
> Finally, a full common-subexpression-elimination, in user level,
> before pushing the ruleset into the kernel, would be very nice.
> Unfortunately this will be harder to do when single-rule-updates,
> instead of full-table-loading, becomes state of the art. :)
>
tc filter seems to be doing this in kernel space.
--
lark
next prev parent reply other threads:[~2005-04-07 7:01 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-06 16:12 About matching Wang Jian
2005-04-06 18:47 ` Jonas Berlin
2005-04-07 3:54 ` Wang Jian
2005-04-07 5:43 ` Patrick Schaaf
2005-04-07 6:13 ` Wang Jian
2005-04-07 6:35 ` Patrick Schaaf
2005-04-07 6:43 ` Patrick Schaaf
2005-04-07 6:55 ` Wang Jian
2005-04-11 9:47 ` About matching (also was: Multiple Targets) Jonas Berlin
2005-04-13 0:48 ` Wang Jian
2005-04-13 0:52 ` Jonas Berlin
2005-04-13 1:03 ` Wang Jian
2005-04-13 6:52 ` Patrick Schaaf
2005-04-13 7:03 ` Jozsef Kadlecsik
2005-04-13 7:14 ` Patrick Schaaf
2005-04-13 7:43 ` Jozsef Kadlecsik
2005-04-13 7:52 ` Patrick Schaaf
2005-04-13 8:35 ` Jozsef Kadlecsik
2005-04-13 9:25 ` Patrick Schaaf
2005-04-13 7:50 ` Wang Jian
2005-04-13 10:09 ` Martijn Lievaart
2005-04-13 10:45 ` Wang Jian
2005-04-13 11:17 ` Martijn Lievaart
2005-04-13 11:25 ` Patrick Schaaf
2005-04-13 11:35 ` Martijn Lievaart
2005-04-14 1:16 ` Henrik Nordstrom
2005-04-14 8:01 ` Ben La Monica
2005-04-14 8:56 ` Jonas Berlin
2005-04-14 9:20 ` Wang Jian
2005-04-14 11:43 ` Henrik Nordstrom
2005-04-14 13:21 ` Jonas Berlin
2005-05-03 23:48 ` Jonas Berlin
2005-05-04 7:16 ` Jozsef Kadlecsik
2005-05-04 7:42 ` Jonas Berlin
2005-05-04 8:09 ` Jozsef Kadlecsik
2005-05-04 13:54 ` Jonas Berlin
2005-05-05 6:36 ` Jozsef Kadlecsik
2005-05-15 9:05 ` Jonas Berlin
2005-05-15 9:12 ` Jonas Berlin
2005-04-14 1:14 ` Henrik Nordstrom
2005-04-13 11:01 ` Jonas Berlin
2005-04-13 11:36 ` Martijn Lievaart
2005-04-14 1:09 ` Henrik Nordstrom
2005-04-14 1:03 ` Henrik Nordstrom
2005-04-13 6:45 ` Patrick Schaaf
2005-04-07 7:01 ` Wang Jian [this message]
2005-04-07 7:37 ` About matching Jonas Berlin
2005-04-07 8:34 ` Wang Jian
2005-04-08 7:18 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050407145507.02C5.LARK@linux.net.cn \
--to=lark@linux.net.cn \
--cc=bof@bof.de \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.