On Monday 2010-08-16 22:06, Mistick Levi wrote: > >I'm experiencing a problem with iptables... >I add a rule to a chain with a few matches, and afterwards when i want >to delete it, i must give it the exact order of matches i gave it >before, otherwise it says it cant find the rule. > >Anyone else know this error? And if it's not an error, but there for >performance, should'nt it be fixed? >I'd like that change to be my first patch to iptables... so if you >guys think the change is appropriate i'll get on it. > >Example: >iptables -A FORWARD -s 192.168.2.2 -d 192.168.3.3 -p udp ! --fragment >-m udp --dport 555 -m physdev --physdev-out eth0 >iptables -D FORWARD -s 192.168.2.2 -d 192.168.3.3 -p udp ! --fragment >-m physdev --physdev-out eth0 -m udp --dport 555 These are not the same two rules. One evaluates the UDP header first, the other evaluates the physdev interface first. Note that they are evaluated in short-circuit fashion much like C expressions. Order is important. This has implications for modules which update an internal state. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
