From: Brad Fisher <brad@info-link.net>
To: Samuel Jean <sj-netfilter@cookinglinux.org>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: ipt_time fixes (resend, sorry)
Date: Thu, 20 Jan 2005 12:45:51 -0600 [thread overview]
Message-ID: <41EFFC5F.1050207@info-link.net> (raw)
In-Reply-To: <13851.142.169.215.10.1106246038.squirrel@142.169.215.10>
Samuel Jean wrote:
>Hi!
>
>On Thu, January 20, 2005 12:18 pm, Krzysztof Oledzki said:
>
>..snip..
>
>
>
>>On Thu, 20 Jan 2005, Brad Fisher wrote:
>>
>>
>>>To match 20:00 - 4:00 you currently need 2 rules:
>>>1) match 20:00 - 23:59
>>>2) match 0:00 - 4:00
>>>What I'm proposing is to allow this to be reduced to one rule.
>>>
>>>
>
>What Brad proposes makes so much sense, IMHO. I haven't looked at this
>code yet (ipt_time) but I thought it already behaves that way. Apperently
>not, since you both complain about it.
>
>
>
>>So, again.. You need something like invert flag in -m like in the -p:
>>
>>iptables -A something ! -m time --timestart 4:01 --timestop 19:59 -j
>>DoSomething
>>
>>This one should match 20:00-20:59 and 0:00-4:00, true?
>>
>>
>
>I wasn't aware you can negate --match options. Are you sure we can do this ?
>
>
>
I haven't found any generic capability to negate matches. I could see
this being possibly useful, and could reduce the need for every
individual match to implement some sort of negation internally. Of
course, it may not make sense to be able to negate some types of matches
(no examples come to mind though).
>>Right now you can use:
>>
>>iptables -N Match20_4
>>iptables -A Match20_4 -m time --timestart 4:01 --timestop 19:59 -j RETURN
>>iptables -A Match20_4 -j DoSomething
>>
>>This one should match 20:00-20:59 and 0:00-4:00, true?
>>
>>
>
>Yes, but rather ugly :) I strongly suggest adding support to it. As Brad
>did mention, another 'if' condition produces less latency than superfluous
>packet iteration.
>
>
It also makes the ruleset more complex by adding a custom chain and two
rules where I'd like to only have one rule. Your example may work fine
and not add much complexity when multiple rules may jump to the new
chain, but if you need to match multiple time ranges this way, it could
really bulk up your ruleset for no real reason. It'd just be nice if
the time match handled this in a way that doesn't require such
workarounds in the first place.
>>Best regards,
>>
>> Krzysztof Olêdzki
>>
>>
>
>Cheers!
>
>Samuel
>
>
-Brad
next prev parent reply other threads:[~2005-01-20 18:45 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-14 14:04 ipt_time fixes (resend, sorry) Krzysztof Oledzki
2005-01-14 14:37 ` Bill Rugolsky Jr.
2005-01-14 14:48 ` Krzysztof Oledzki
2005-01-14 15:32 ` Samuel Jean
2005-01-14 15:24 ` Krzysztof Oledzki
2005-01-14 16:27 ` Brad Fisher
2005-01-14 16:35 ` Brad Fisher
2005-01-20 13:40 ` Krzysztof Oledzki
2005-01-20 16:35 ` Brad Fisher
2005-01-20 17:18 ` Krzysztof Oledzki
2005-01-20 18:33 ` Samuel Jean
2005-01-20 18:45 ` Brad Fisher [this message]
2005-01-20 22:54 ` Krzysztof Oledzki
2005-01-21 0:23 ` Samuel Jean
2005-02-01 12:06 ` Harald Welte
2005-02-01 16:52 ` Krzysztof Oledzki
2005-02-15 0:57 ` Harald Welte
2005-04-05 8:18 ` Krzysztof Oledzki
2005-04-10 20:26 ` Harald Welte
2005-04-12 18:45 ` Krzysztof Oledzki
2005-01-14 22:47 ` Samuel Jean
[not found] ` <200502030010.47260.fabrice.marie@fma-rms.com>
[not found] ` <Pine.LNX.4.62.0502150219100.17929@bizon.gios.gov.pl>
2005-02-15 15:23 ` Fabrice MARIE
2005-02-15 15:58 ` Krzysztof Oledzki
2005-02-16 15:24 ` Fabrice MARIE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41EFFC5F.1050207@info-link.net \
--to=brad@info-link.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=sj-netfilter@cookinglinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.