From: Wang Jian <lark@linux.net.cn>
To: Martijn Lievaart <m@rtij.nl>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: About matching (also was: Multiple Targets)
Date: Wed, 13 Apr 2005 18:45:47 +0800 [thread overview]
Message-ID: <20050413182822.0317.LARK@linux.net.cn> (raw)
In-Reply-To: <425CEFE3.2010200@rtij.nl>
Hi Martijn Lievaart,
On Wed, 13 Apr 2005 12:09:39 +0200, Martijn Lievaart <m@rtij.nl> wrote:
>
> This is so non-intuitive it makes my head hurt. Also:
>
> iptables -A SOMECHAIN -m this -m that -j ACTION1
> iptables -A SOMECHAIN -m this -m that -j ACTION2 (dup match)
> iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)
>
> If delete the first
>
> iptables -A SOMECHAIN -m this -m that -j ACTION2 <-- de-mark
> iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)
>
> Now reinsert the first:
>
> iptables -A SOMECHAIN -m this -m that -j ACTION1
> iptables -A SOMECHAIN -m this -m that -j ACTION2 <-- NO DUP MATCH ANYMORE
> iptables -A SOMECHAIN -m this -m that -j RETURN (dup match)
>
>
Good catch. I am convinced.
> which is bad when any of the matches have side effects.
>
> IMO a better course of action is to only allow deletion of the last match(es) in a "previous-chain", which could be the complete chain. So given the example above:
>
>
> iptables -A SOMECHAIN -m this -m that -j ACTION1
> iptables -A SOMECHAIN --previous -j ACTION2
> iptables -A SOMECHAIN --previous -j RETURN
>
> This would only allow to delete the third, the third and the second or all three rules before a commit occurs. These semantics would also allow nicely for ! --previous.
>
Good point. But insertion before the first?
And how about
iptables -A SOMECHAIN -m this -m that -j ACTION1
iptables -A SOMECHAIN --previous -j ACTION2
iptables -A SOMECHAIN !--previous -j ACTION3
iptables -A SOMECHAIN --previous -j RETURN
The ! --previous semantics is confusing in this case.
> The more I think about it, the more I like it. This in effect gives multiple targets. Now someone is bound to come up with the idea that it should also be possible to write
>
> iptables -A SOMECHAIN -m this -m that -j ACTION1 -j ACTION2 -j RETURN
>
> as syntactic sugar. This makes a lot of sense, but is not needed. Let some front-end tool compile the rules to the --previous form, don't burden netfilter with this, unless it can be implemented very easily, which I don't think it can. The semantics are to murky.
>
Yes, this sound good.
--
lark
next prev parent reply other threads:[~2005-04-13 10:45 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-06 16:12 About matching Wang Jian
2005-04-06 18:47 ` Jonas Berlin
2005-04-07 3:54 ` Wang Jian
2005-04-07 5:43 ` Patrick Schaaf
2005-04-07 6:13 ` Wang Jian
2005-04-07 6:35 ` Patrick Schaaf
2005-04-07 6:43 ` Patrick Schaaf
2005-04-07 6:55 ` Wang Jian
2005-04-11 9:47 ` About matching (also was: Multiple Targets) Jonas Berlin
2005-04-13 0:48 ` Wang Jian
2005-04-13 0:52 ` Jonas Berlin
2005-04-13 1:03 ` Wang Jian
2005-04-13 6:52 ` Patrick Schaaf
2005-04-13 7:03 ` Jozsef Kadlecsik
2005-04-13 7:14 ` Patrick Schaaf
2005-04-13 7:43 ` Jozsef Kadlecsik
2005-04-13 7:52 ` Patrick Schaaf
2005-04-13 8:35 ` Jozsef Kadlecsik
2005-04-13 9:25 ` Patrick Schaaf
2005-04-13 7:50 ` Wang Jian
2005-04-13 10:09 ` Martijn Lievaart
2005-04-13 10:45 ` Wang Jian [this message]
2005-04-13 11:17 ` Martijn Lievaart
2005-04-13 11:25 ` Patrick Schaaf
2005-04-13 11:35 ` Martijn Lievaart
2005-04-14 1:16 ` Henrik Nordstrom
2005-04-14 8:01 ` Ben La Monica
2005-04-14 8:56 ` Jonas Berlin
2005-04-14 9:20 ` Wang Jian
2005-04-14 11:43 ` Henrik Nordstrom
2005-04-14 13:21 ` Jonas Berlin
2005-05-03 23:48 ` Jonas Berlin
2005-05-04 7:16 ` Jozsef Kadlecsik
2005-05-04 7:42 ` Jonas Berlin
2005-05-04 8:09 ` Jozsef Kadlecsik
2005-05-04 13:54 ` Jonas Berlin
2005-05-05 6:36 ` Jozsef Kadlecsik
2005-05-15 9:05 ` Jonas Berlin
2005-05-15 9:12 ` Jonas Berlin
2005-04-14 1:14 ` Henrik Nordstrom
2005-04-13 11:01 ` Jonas Berlin
2005-04-13 11:36 ` Martijn Lievaart
2005-04-14 1:09 ` Henrik Nordstrom
2005-04-14 1:03 ` Henrik Nordstrom
2005-04-13 6:45 ` Patrick Schaaf
2005-04-07 7:01 ` About matching Wang Jian
2005-04-07 7:37 ` Jonas Berlin
2005-04-07 8:34 ` Wang Jian
2005-04-08 7:18 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050413182822.0317.LARK@linux.net.cn \
--to=lark@linux.net.cn \
--cc=m@rtij.nl \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.