From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: [RFC][PATCH] optimise iptables interface matching Date: Sat, 26 May 2007 10:47:56 +0200 Message-ID: <4657F43C.2000306@trash.net> References: <465528CB.4020108@snapgear.com> <4655CEB0.4060306@trash.net> <46561A9F.2010800@snapgear.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Netfilter Developer Mailing List To: Philip Craig Return-path: In-Reply-To: <46561A9F.2010800@snapgear.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Philip Craig wrote: > Patrick McHardy wrote: > >>I don't like the kernel-internal fiddling with the flags too >>much, but I don't see a way around it. > > > The other idea I had was moving the interface matching into > an internal match that would be checked by IPT_MATCH_ITERATE(). > Not sure if this is feasible yet. Mhh .. probably not since you would have to put it somewhere in the blob. >>userspace should just ignore unknown flags. > > > I was trying to completely hide them from userspace so that we > still have the option to use them for something else later on. > If we ever send them to userspace, then they are taken forever, > otherwise a newer iptables userspace may not work with an older > kernel. We could do that, but we would need some other place to store them since once we want to use them for something new we can't put them in ->flags anymore.