comments anyone? ---------- Forwarded message ---------- From: Mistick Levi <gmistick@xxxxxxxxx> Date: Tue, Aug 17, 2010 at 9:45 PM Subject: Re: iptables rule matching error To: Jan Engelhardt <jengelh@xxxxxxxxxx> Hi, thanks for the quick reply. Could you point a few links with more information? for example what modules update internal state and why the evaluation order is important? and why does it matter which match evaluate first when the issue here is with deletion of a rule... could you give a few examples? Kind Regards Yechiel Levi On Mon, Aug 16, 2010 at 11:29 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Monday 2010-08-16 22:06, Mistick Levi wrote: >> >>I'm experiencing a problem with iptables... >>I add a rule to a chain with a few matches, and afterwards when i want >>to delete it, i must give it the exact order of matches i gave it >>before, otherwise it says it cant find the rule. >> >>Anyone else know this error? And if it's not an error, but there for >>performance, should'nt it be fixed? >>I'd like that change to be my first patch to iptables... so if you >>guys think the change is appropriate i'll get on it. >> >>Example: >>iptables -A FORWARD -s 192.168.2.2 -d 192.168.3.3 -p udp ! --fragment >>-m udp --dport 555 -m physdev --physdev-out eth0 >>iptables -D FORWARD -s 192.168.2.2 -d 192.168.3.3 -p udp ! --fragment >>-m physdev --physdev-out eth0 -m udp --dport 555 > > These are not the same two rules. One evaluates the UDP header first, > the other evaluates the physdev interface first. Note that they are > evaluated in short-circuit fashion much like C expressions. Order is > important. This has implications for modules which update an internal > state. > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
