On Thu, 4 Apr 2013, Michael Zintakis wrote: > Michael Zintakis wrote: > > Pablo Neira Ayuso wrote: > >> I see. Then my new proposal is to add a new automagic function to > >> round the output to the most expressive measure, would be somehow > >> similar to xtables_print_num: > >> > >> http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=blob;f=libxtables/xtables.c;h=009ab9115f6fd687a762a2552f89ac0b81ee1a42;hb=HEAD#l1915 > Something we've discovered with regards to the nfacct match recently. If > I have the following iptables statement: > > iptables -A INPUT -m nfacct --nfacct <nfacct_obj> -m <match2> -m <match3> > > The above aklways updates the "nfacct_obj" byte and packet counters, > regardless of whether "match2" and "match3" actually matches. However, > if we have: > > iptables -A INPUT -m <match2> -m nfacct --nfacct <nfacct_obj> -m <match3> > > then "nfacct_obj" counters are updated only when "match1" is satisfied, > but if we have: > > iptables -A INPUT -m <match2> -m <match3> -m nfacct --nfacct <nfacct_obj> > > then "nfacct_obj" counters are updated when both match2 and match3 are > matched (which was the initial intention). > > This inconsistency stems from the fact that the nfacct match in the > kernel (xt_nfacct.c::nfacct_mt) always returns true, but also because of > how iptables evaluates matches: it does so from left to right. > > Since there isn't a callback in the xt_match struct which is called > after ALL matches have been satisfied (xt_match.match is called for each > registered match in that statement), this causes the nfacct counters to > be updated (or not) depending on the position of the nfacct match. > > What I have done locally is to add a separate callback (I called it > "matched") which is called for all matches after all such matches in a > particular statement have been satisfied, but that obviously will break > lots of code depending on the old xt_match struct if such approach is > adopted. My question is: is there more elegant solution to do this? In my opinion this is not inconsistency at all, but the intended behaviour. So I don't see any reason to add such a hack to override it. What prevents you from entering the matches in the order you want them to be evaluated? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
