* sequence of matches in a single rule @ 2008-05-17 5:40 Nishit Shah 2008-05-17 7:05 ` Jan Engelhardt 0 siblings, 1 reply; 6+ messages in thread From: Nishit Shah @ 2008-05-17 5:40 UTC (permalink / raw) To: netfilter Hi, Is there any specific order in which match will take place ? Ex:- lets say I have a following rules. 1.) iptables -I PREROUTING -t mangle -m state --state NEW -m mark --mark 1 -j ACCEPT 2.) iptables -I PREROUTING -t mangle -m mark --mark 1 -m state --state NEW -j ACCEPT When packet traverse first rule, does state match comes before mark match ? When packet traverse second rule, does mark match comes before state match ? Rgds, Nishit Shah. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sequence of matches in a single rule 2008-05-17 5:40 sequence of matches in a single rule Nishit Shah @ 2008-05-17 7:05 ` Jan Engelhardt 2008-05-17 7:21 ` Nishit Shah 0 siblings, 1 reply; 6+ messages in thread From: Jan Engelhardt @ 2008-05-17 7:05 UTC (permalink / raw) To: Nishit Shah; +Cc: netfilter On Saturday 2008-05-17 07:40, Nishit Shah wrote: >Hi, > Is there any specific order in which match will take place ? Yes. For -m conntrack and -m mark however, it does not matter, as no internal state is modified. It does matter however, for example, with -m statistic --mode nth and -m quota. ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: sequence of matches in a single rule 2008-05-17 7:05 ` Jan Engelhardt @ 2008-05-17 7:21 ` Nishit Shah 2008-05-17 8:35 ` Jan Engelhardt 0 siblings, 1 reply; 6+ messages in thread From: Nishit Shah @ 2008-05-17 7:21 UTC (permalink / raw) To: 'Jan Engelhardt'; +Cc: netfilter -----Original Message----- From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Jan Engelhardt Sent: Saturday, May 17, 2008 12:36 PM To: Nishit Shah Cc: netfilter@vger.kernel.org Subject: Re: sequence of matches in a single rule On Saturday 2008-05-17 07:40, Nishit Shah wrote: >Hi, > Is there any specific order in which match will take place ? Yes. For -m conntrack and -m mark however, it does not matter, as no internal state is modified. It does matter however, for example, with -m statistic --mode nth and -m quota. So, can I have that order somewhere mentioned or I need to go through source code ? If I write some of my own match do I have any way to change the match preference ? The reason I am asking is, there are some matches that are CPU incentive and some are not. For an example I prefer -m mark to always take precedence before -m limit or -m hashlimit, something like that.. Or is it more preferable to not use such thing in single rule and prefer 2 iptables rules for that ? Rgds, Nishit Shah. ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: sequence of matches in a single rule 2008-05-17 7:21 ` Nishit Shah @ 2008-05-17 8:35 ` Jan Engelhardt 2008-05-17 8:48 ` Nishit Shah 0 siblings, 1 reply; 6+ messages in thread From: Jan Engelhardt @ 2008-05-17 8:35 UTC (permalink / raw) To: Nishit Shah; +Cc: netfilter On Saturday 2008-05-17 09:21, Nishit Shah wrote: >>>Hi, >>> Is there any specific order in which match will take place ? >> >>Yes. For -m conntrack and -m mark however, it does not matter, >>as no internal state is modified. It does matter however, >>for example, with -m statistic --mode nth and -m quota. > >So, can I have that order somewhere mentioned or I need to go through source >code ? If I write some of my own match do I have any way to change the match >preference ? This is not decided in source code. The order is defined by you when you pass the -m options to iptables. > The reason I am asking is, there are some matches that are CPU >incentive and some are not. For an example I prefer -m mark to always take >precedence before -m limit or -m hashlimit, something like that.. Correct. Note however, that limit and hashlimit have an internal state. Using -m mark -m hashlimit, hashlimit only gets to see packets of a specific mark, while -m hashlimit -m mark, hashlimit gets to see all packets, and mark only sees packets which successfully passed hashlimit. > Or is it more preferable to not use such thing in single rule and >prefer 2 iptables rules for that ? One rule is much preferred in this case. ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: sequence of matches in a single rule 2008-05-17 8:35 ` Jan Engelhardt @ 2008-05-17 8:48 ` Nishit Shah 2008-05-17 9:12 ` Jan Engelhardt 0 siblings, 1 reply; 6+ messages in thread From: Nishit Shah @ 2008-05-17 8:48 UTC (permalink / raw) To: 'Jan Engelhardt'; +Cc: netfilter -----Original Message----- From: jengelh@sovereign.computergmbh.de [mailto:jengelh@sovereign.computergmbh.de] On Behalf Of Jan Engelhardt Sent: Saturday, May 17, 2008 2:06 PM To: Nishit Shah Cc: netfilter@vger.kernel.org Subject: RE: sequence of matches in a single rule On Saturday 2008-05-17 09:21, Nishit Shah wrote: >>>Hi, >>> Is there any specific order in which match will take place ? >> >>Yes. For -m conntrack and -m mark however, it does not matter, >>as no internal state is modified. It does matter however, >>for example, with -m statistic --mode nth and -m quota. > >So, can I have that order somewhere mentioned or I need to go through source >code ? If I write some of my own match do I have any way to change the match >preference ? This is not decided in source code. The order is defined by you when you pass the -m options to iptables. > The reason I am asking is, there are some matches that are CPU >incentive and some are not. For an example I prefer -m mark to always take >precedence before -m limit or -m hashlimit, something like that.. Correct. Note however, that limit and hashlimit have an internal state. Using -m mark -m hashlimit, hashlimit only gets to see packets of a specific mark, while -m hashlimit -m mark, hashlimit gets to see all packets, and mark only sees packets which successfully passed hashlimit. > Or is it more preferable to not use such thing in single rule and >prefer 2 iptables rules for that ? One rule is much preferred in this case. Thanks for your explanation Jan, Just curious what will happen in case when internal state is modified ? What is the sequence of match when I have, 1.) -m statistic --mode nth and -m quota 2.) -m quota and -m statistic --mode nth 3.) -m statistic --mode nth and -m state 4.) -m state and -m statistic --mode nth Rgds, Nishit Shah. ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: sequence of matches in a single rule 2008-05-17 8:48 ` Nishit Shah @ 2008-05-17 9:12 ` Jan Engelhardt 0 siblings, 0 replies; 6+ messages in thread From: Jan Engelhardt @ 2008-05-17 9:12 UTC (permalink / raw) To: Nishit Shah; +Cc: netfilter On Saturday 2008-05-17 10:48, Nishit Shah wrote: > >>Using -m mark -m hashlimit, hashlimit only gets to see packets of >>a specific mark, while -m hashlimit -m mark, hashlimit gets to >>see all packets, and mark only sees packets which successfully >>passed hashlimit. > > >Thanks for your explanation Jan, > Just curious what will happen in case when internal state is >modified ? See above. > What is the sequence of match when I have, From left to right. > > 1.) -m statistic --mode nth and -m quota > 2.) -m quota and -m statistic --mode nth > > 3.) -m statistic --mode nth and -m state > 4.) -m state and -m statistic --mode nth > >Rgds, >Nishit Shah. > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-05-17 9:12 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-05-17 5:40 sequence of matches in a single rule Nishit Shah 2008-05-17 7:05 ` Jan Engelhardt 2008-05-17 7:21 ` Nishit Shah 2008-05-17 8:35 ` Jan Engelhardt 2008-05-17 8:48 ` Nishit Shah 2008-05-17 9:12 ` Jan Engelhardt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox