Hello again, So i decided to ask this again cause it is actually not related to the original post... Supose I want to log and drop a packet with certain criteria. Actually, imagine that I want to send the logged info to a program in userspace. I have seen recommendations in the lines of: iptables <whatever> <MATCH> -j ULOG iptables <whatever> <MATCH> -J DROP That is doing a double match. So I wanted to ask: has anyone done any experimentation to see when exactly is it better to do another chain, call it "temp", to do the ULOG and DROP unconditionally, and call it from a single one that does the match? iptables <whatever> <MATCH> -j temp iptables -A temp -j ULOG iptables -A temp -j DROP Of course, it cant be related to the final jumps, so I would expect the drop and ulog not being important. I would conjecture that what is important is the actually the MATCH. If the MATCH is very complex, is it better to go the second way. Has anyone done experiments on this? The reason this is important to me is because I am working on a user level program that is supposed to analize and generate rules dynamically. I am working on a very general multipurpose language and specification... so, I want to be able to decide what kind of rules I am suppose to generate in different scenarios ... kind of like bringing iptables alive... or actually giving it a life of its own... :) Regards, Ruben.
