Re: About matching (also was: Multiple Targets)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Wang Jian <lark@linux.net.cn>
To: Patrick Schaaf <bof@bof.de>
Cc: netfilter-devel@lists.netfilter.org,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Subject: Re: About matching (also was: Multiple Targets)
Date: Wed, 13 Apr 2005 15:50:39 +0800	[thread overview]
Message-ID: <20050413152307.0312.LARK@linux.net.cn> (raw)
In-Reply-To: <20050413071427.GC16534@oknodo.bof.de>

Hi Patrick Schaaf,

Common subexpression aggregation should be the best way to go. But
before that is done, we should consider how to improve current scheme,
right? It is a short term vs. long term problem.

Although ! --previous can be done, I am against it with current scheme.
The current scheme is for line by line match, not for structured
semantic such as if-else. Structured rule matching semantic needs much
work for correctness of insertion or deletion.

The --previous is a speedup, it is by no means a structured change.

I will defend my idea of duplication mark. It does make sense. It keeps
user space compatibility very well.

Consider this

iptables -A SOMECHAIN -m this -m that -j ACTION1
iptables -A SOMECHAIN --previous -j ACTION2
iptables -A SOMECHAIN --previous -j RETURN

The user space doesn't do the real work. The kernel space code store the
rules like this:

iptables -A SOMECHAIN -m this -m that -j ACTION1
iptables -A SOMECHAIN -m this -m that -j ACTION2 (dup match)
iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)

When user space do delete, it do deletion as old days. But kernel, do
the trivial magic.

If delete the first

iptables -A SOMECHAIN -m this -m that -j ACTION2 <-- de-mark
iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)

If delete the second

iptables -A SOMECHAIN -m this -m that -j ACTION1
iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)

Do --previous insertion 

iptables -A SOMECHAIN -m this -m that -j ACTION1
iptables -A SOMECHAIN -m this -m that -j NEWACTION1 (dup match)
iptables -A SOMECHAIN -m this -m that -j ACTION2 (dup match)
iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)

Do non --previous insertion

iptables -A SOMECHAIN -m this -m that -j ACTION1
iptables -A SOMECHAIN -m newmatch -j NEWACTION1
iptables -A SOMECHAIN -m this -m that -j ACTION2 <-- de-mark
iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)


On Wed, 13 Apr 2005 09:14:27 +0200, Patrick Schaaf <bof@bof.de> wrote:

> Hi Jozsef,
> 
> On Wed, Apr 13, 2005 at 09:03:14AM +0200, Jozsef Kadlecsik wrote:
> > On Wed, 13 Apr 2005, Patrick Schaaf wrote:
> > 
> > > Also see my other mail: I think that all this is too complicated and
> > > too restrictive on the admin of the machine, and should simply NOT
> > > be done. The "more interesting" problem above, seems to confirm
> > > this feeling :)
> > 
> > I absolutely agree.
> > 
> > Rule evaluation should be improved by replacing the current linear
> > algorithm with some tree-based solution like nf-hipac. Or even with a tree
> > of internal IP sets ;-)
> 
> Or with a code generator with proper common subexpression elimination.
> Wasn't there a tcng project going that way? I sometimes think that
> this must be the right approach, just because so much optimization
> work went into gcc - and it can't be too hard, at least on current
> server/desktop processors, when even a full kernel compile is only
> one or two minutes...
> 
> BTW, I do find the general idea of '--previous' / '! --previous'
> sensible and appealing, because it wouldn't cost much to implement,
> and would give a tool to the ruleset writer to at least express
> _some_ commonality.
> 
> It's just the "upon deletion, do magic when the next rule is --previous",
> that I objected to.
> 
> best regards
>   Patrick



-- 
  lark

next prev parent reply	other threads:[~2005-04-13  7:50 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-06 16:12 About matching Wang Jian
2005-04-06 18:47 ` Jonas Berlin
2005-04-07  3:54   ` Wang Jian
2005-04-07  5:43     ` Patrick Schaaf
2005-04-07  6:13       ` Wang Jian
2005-04-07  6:35         ` Patrick Schaaf
2005-04-07  6:43           ` Patrick Schaaf
2005-04-07  6:55             ` Wang Jian
2005-04-11  9:47             ` About matching (also was: Multiple Targets) Jonas Berlin
2005-04-13  0:48               ` Wang Jian
2005-04-13  0:52                 ` Jonas Berlin
2005-04-13  1:03                   ` Wang Jian
2005-04-13  6:52                     ` Patrick Schaaf
2005-04-13  7:03                       ` Jozsef Kadlecsik
2005-04-13  7:14                         ` Patrick Schaaf
2005-04-13  7:43                           ` Jozsef Kadlecsik
2005-04-13  7:52                             ` Patrick Schaaf
2005-04-13  8:35                               ` Jozsef Kadlecsik
2005-04-13  9:25                                 ` Patrick Schaaf
2005-04-13  7:50                           ` Wang Jian [this message]
2005-04-13 10:09                             ` Martijn Lievaart
2005-04-13 10:45                               ` Wang Jian
2005-04-13 11:17                                 ` Martijn Lievaart
2005-04-13 11:25                                   ` Patrick Schaaf
2005-04-13 11:35                                     ` Martijn Lievaart
2005-04-14  1:16                                     ` Henrik Nordstrom
2005-04-14  8:01                                       ` Ben La Monica
2005-04-14  8:56                                         ` Jonas Berlin
2005-04-14  9:20                                           ` Wang Jian
2005-04-14 11:43                                           ` Henrik Nordstrom
2005-04-14 13:21                                             ` Jonas Berlin
2005-05-03 23:48                                               ` Jonas Berlin
2005-05-04  7:16                                                 ` Jozsef Kadlecsik
2005-05-04  7:42                                                   ` Jonas Berlin
2005-05-04  8:09                                                     ` Jozsef Kadlecsik
2005-05-04 13:54                                                       ` Jonas Berlin
2005-05-05  6:36                                                         ` Jozsef Kadlecsik
2005-05-15  9:05                                                           ` Jonas Berlin
2005-05-15  9:12                                                             ` Jonas Berlin
2005-04-14  1:14                                   ` Henrik Nordstrom
2005-04-13 11:01                               ` Jonas Berlin
2005-04-13 11:36                                 ` Martijn Lievaart
2005-04-14  1:09                             ` Henrik Nordstrom
2005-04-14  1:03                           ` Henrik Nordstrom
2005-04-13  6:45                   ` Patrick Schaaf
2005-04-07  7:01           ` About matching Wang Jian
2005-04-07  7:37     ` Jonas Berlin
2005-04-07  8:34       ` Wang Jian
2005-04-08  7:18 ` Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050413152307.0312.LARK@linux.net.cn \
    --to=lark@linux.net.cn \
    --cc=bof@bof.de \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.