From: Martijn Lievaart <m@rtij.nl>
To: Jonas Berlin <xkr47@outerspace.dyndns.org>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: About matching (also was: Multiple Targets)
Date: Wed, 13 Apr 2005 13:36:41 +0200 [thread overview]
Message-ID: <425D0449.4070306@rtij.nl> (raw)
In-Reply-To: <425CFC0F.5010006@outerspace.dyndns.org>
Jonas Berlin wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Quoting Martijn Lievaart on 2005-04-13 10:09 UTC:
>
>
>>The more I think about it, the more I like it. This in effect gives
>>multiple targets. Now someone is bound to come up with the idea that it
>>should also be possible to write
>>
>>iptables -A SOMECHAIN -m this -m that -j ACTION1 -j ACTION2 -j RETURN
>>
>>as syntactic sugar. This makes a lot of sense, but is not needed. Let
>>some front-end tool compile the rules to the --previous form, don't
>>burden netfilter with this, unless it can be implemented very easily,
>>which I don't think it can. The semantics are to murky.
>>
>>
>
>Did you see the mail from me on Mon, 11 Apr 2005 09:47:41 +0000 ? It's
>the first email with the subject
> "Re: About matching (also was: Multiple Targets)
>
>I wrote some thoughts on how multiple targets could be implemented.
>
>Regarding the rule byte & packet counters, I guess they would be updated
>regardless of how the actions turn out.. (I guess that's how it works
>now too)
>
>
:-) So back full circle :-) I read it, but lost track of it in the chain.
I'm still not convinced we need this, but it /could/ be implemented
using an (then internal) --previous match.
IF (and I'm still not convinced it's a good idea) this is implemented,
there are three ways to do it as I see it now:
1) Either implement --previous wholy in the kernel and make the multiple
targets part of the kernel interface.
2) Or make this syntactic sugar in the iptables binary.
3) Or don't use any form of --previous and implement it differently in
the kernel.
1) and 3) are really equivalent from a users point of view, also from
the viewpoint of binary compatibility. It's just an implementation
detail. OTOH 2) can be implemented sanely in all the binaries (iptables,
-save and -restore) but will make the kernel API divert semantically
from the commandline API. I'm not sure we want that. I still would
advocate to make an explicit --previous match with semantics as outlined
in my previous mail. It implements the functionality we want (as Patrick
points out in another mail you would need an -j RETURN --up 2 to
implement the same, it can also be done with a GOTO).
M4
next prev parent reply other threads:[~2005-04-13 11:36 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-06 16:12 About matching Wang Jian
2005-04-06 18:47 ` Jonas Berlin
2005-04-07 3:54 ` Wang Jian
2005-04-07 5:43 ` Patrick Schaaf
2005-04-07 6:13 ` Wang Jian
2005-04-07 6:35 ` Patrick Schaaf
2005-04-07 6:43 ` Patrick Schaaf
2005-04-07 6:55 ` Wang Jian
2005-04-11 9:47 ` About matching (also was: Multiple Targets) Jonas Berlin
2005-04-13 0:48 ` Wang Jian
2005-04-13 0:52 ` Jonas Berlin
2005-04-13 1:03 ` Wang Jian
2005-04-13 6:52 ` Patrick Schaaf
2005-04-13 7:03 ` Jozsef Kadlecsik
2005-04-13 7:14 ` Patrick Schaaf
2005-04-13 7:43 ` Jozsef Kadlecsik
2005-04-13 7:52 ` Patrick Schaaf
2005-04-13 8:35 ` Jozsef Kadlecsik
2005-04-13 9:25 ` Patrick Schaaf
2005-04-13 7:50 ` Wang Jian
2005-04-13 10:09 ` Martijn Lievaart
2005-04-13 10:45 ` Wang Jian
2005-04-13 11:17 ` Martijn Lievaart
2005-04-13 11:25 ` Patrick Schaaf
2005-04-13 11:35 ` Martijn Lievaart
2005-04-14 1:16 ` Henrik Nordstrom
2005-04-14 8:01 ` Ben La Monica
2005-04-14 8:56 ` Jonas Berlin
2005-04-14 9:20 ` Wang Jian
2005-04-14 11:43 ` Henrik Nordstrom
2005-04-14 13:21 ` Jonas Berlin
2005-05-03 23:48 ` Jonas Berlin
2005-05-04 7:16 ` Jozsef Kadlecsik
2005-05-04 7:42 ` Jonas Berlin
2005-05-04 8:09 ` Jozsef Kadlecsik
2005-05-04 13:54 ` Jonas Berlin
2005-05-05 6:36 ` Jozsef Kadlecsik
2005-05-15 9:05 ` Jonas Berlin
2005-05-15 9:12 ` Jonas Berlin
2005-04-14 1:14 ` Henrik Nordstrom
2005-04-13 11:01 ` Jonas Berlin
2005-04-13 11:36 ` Martijn Lievaart [this message]
2005-04-14 1:09 ` Henrik Nordstrom
2005-04-14 1:03 ` Henrik Nordstrom
2005-04-13 6:45 ` Patrick Schaaf
2005-04-07 7:01 ` About matching Wang Jian
2005-04-07 7:37 ` Jonas Berlin
2005-04-07 8:34 ` Wang Jian
2005-04-08 7:18 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=425D0449.4070306@rtij.nl \
--to=m@rtij.nl \
--cc=netfilter-devel@lists.netfilter.org \
--cc=xkr47@outerspace.dyndns.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.