sequence of matches in a single rule

sequence of matches in a single rule

[Nishit Shah]

Hi,
	Is there any specific order in which match will take place ?

	Ex:- lets say I have a following rules.

	1.) iptables -I PREROUTING -t mangle -m state --state NEW -m mark
--mark 1 -j ACCEPT
	2.) iptables -I PREROUTING -t mangle -m mark --mark 1 -m state
--state NEW -j ACCEPT

	When packet traverse first rule, does state match comes before mark
match ?
	When packet traverse second rule, does mark match comes before state
match ?


Rgds,
Nishit Shah.	

Re: sequence of matches in a single rule

[Jan Engelhardt]

On Saturday 2008-05-17 07:40, Nishit Shah wrote:

>Hi,
>	Is there any specific order in which match will take place ?

Yes. For -m conntrack and -m mark however, it does not matter,
as no internal state is modified. It does matter however,
for example, with -m statistic --mode nth and -m quota.

RE: sequence of matches in a single rule

[Nishit Shah]

-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Jan Engelhardt
Sent: Saturday, May 17, 2008 12:36 PM
To: Nishit Shah
Cc: netfilter@vger.kernel.org
Subject: Re: sequence of matches in a single rule


On Saturday 2008-05-17 07:40, Nishit Shah wrote:

>Hi,
>	Is there any specific order in which match will take place ?

Yes. For -m conntrack and -m mark however, it does not matter,
as no internal state is modified. It does matter however,
for example, with -m statistic --mode nth and -m quota.

So, can I have that order somewhere mentioned or I need to go through source
code ? If I write some of my own match do I have any way to change the match
preference ? 
	The reason I am asking is, there are some matches that are CPU
incentive and some are not. For an example I prefer -m mark to always take
precedence before -m limit or -m hashlimit, something like that..
	Or is it more preferable to not use such thing in single rule and
prefer 2 iptables rules for that ?

Rgds,
Nishit Shah. 

RE: sequence of matches in a single rule

[Jan Engelhardt]

On Saturday 2008-05-17 09:21, Nishit Shah wrote:
>>>Hi,
>>>	Is there any specific order in which match will take place ?
>>
>>Yes. For -m conntrack and -m mark however, it does not matter,
>>as no internal state is modified. It does matter however,
>>for example, with -m statistic --mode nth and -m quota.
>
>So, can I have that order somewhere mentioned or I need to go through source
>code ? If I write some of my own match do I have any way to change the match
>preference ? 

This is not decided in source code. The order is defined by you when
you pass the -m options to iptables.

>	The reason I am asking is, there are some matches that are CPU
>incentive and some are not. For an example I prefer -m mark to always take
>precedence before -m limit or -m hashlimit, something like that..

Correct.
Note however, that limit and hashlimit have an internal state.

Using -m mark -m hashlimit, hashlimit only gets to see packets of
a specific mark, while -m hashlimit -m mark, hashlimit gets to
see all packets, and mark only sees packets which successfully
passed hashlimit.

>	Or is it more preferable to not use such thing in single rule and
>prefer 2 iptables rules for that ?

One rule is much preferred in this case.

RE: sequence of matches in a single rule

[Nishit Shah]

-----Original Message-----
From: jengelh@sovereign.computergmbh.de
[mailto:jengelh@sovereign.computergmbh.de] On Behalf Of Jan Engelhardt
Sent: Saturday, May 17, 2008 2:06 PM
To: Nishit Shah
Cc: netfilter@vger.kernel.org
Subject: RE: sequence of matches in a single rule


On Saturday 2008-05-17 09:21, Nishit Shah wrote:
>>>Hi,
>>>	Is there any specific order in which match will take place ?
>>
>>Yes. For -m conntrack and -m mark however, it does not matter,
>>as no internal state is modified. It does matter however,
>>for example, with -m statistic --mode nth and -m quota.
>
>So, can I have that order somewhere mentioned or I need to go through
source
>code ? If I write some of my own match do I have any way to change the
match
>preference ? 

This is not decided in source code. The order is defined by you when
you pass the -m options to iptables.

>	The reason I am asking is, there are some matches that are CPU
>incentive and some are not. For an example I prefer -m mark to always take
>precedence before -m limit or -m hashlimit, something like that..

Correct.
Note however, that limit and hashlimit have an internal state.

Using -m mark -m hashlimit, hashlimit only gets to see packets of
a specific mark, while -m hashlimit -m mark, hashlimit gets to
see all packets, and mark only sees packets which successfully
passed hashlimit.

>	Or is it more preferable to not use such thing in single rule and
>prefer 2 iptables rules for that ?

One rule is much preferred in this case.


Thanks for your explanation Jan,
	Just curious what will happen in case when internal state is
modified ?

	What is the sequence of match when I have,

		1.) -m statistic --mode nth and -m quota
		2.) -m quota and -m statistic --mode nth

		3.) -m statistic --mode nth and -m state
		4.) -m state and -m statistic --mode nth

Rgds,
Nishit Shah.

RE: sequence of matches in a single rule

[Jan Engelhardt]

On Saturday 2008-05-17 10:48, Nishit Shah wrote:
>
>>Using -m mark -m hashlimit, hashlimit only gets to see packets of
>>a specific mark, while -m hashlimit -m mark, hashlimit gets to
>>see all packets, and mark only sees packets which successfully
>>passed hashlimit.
>
>
>Thanks for your explanation Jan,
>	Just curious what will happen in case when internal state is
>modified ?

See above.

>	What is the sequence of match when I have,

From left to right.

>
>		1.) -m statistic --mode nth and -m quota
>		2.) -m quota and -m statistic --mode nth
>
>		3.) -m statistic --mode nth and -m state
>		4.) -m state and -m statistic --mode nth
>
>Rgds,
>Nishit Shah.
>