On Fri, Aug 03, 2007 at 06:23:10PM +0200, Ray Leach wrote: > > > Franck Joncourt wrote: >> Hi, >> >> Assuming we have the next two rules in our ruleset : >> >> iptables -A INPUT -s 192.168.10.14 -p tcp --dport 80 -j ACCEPT >> iptables -A INPUT -s 192.168.10.14 -p tcp --dport 443 -j ACCEPT >> >> I was wondering whether rules are processed one by one. >> In the two rules above, we have to check the source address >> 192.168.10.14, so I think this is done for the first one, and then for >> the second one. I am not quite sure ; Can anyone confirm that ? >> >> > Yes, rules are processed one by one until a rule matches the packet. > > So the first rule above would be matched for traffic coming from > 192.168.10.14 going to port 80 (192.168.10.14 browses a website) > The second rule would be matched when 192.168.10.14 tried to browse a > secure website. > > Since bothe these rules are in the INPUT chain, they will only be matched > when the source ip tried to access those ports on the machine running > iptables. > I meant, there can't be no such processing ? 1/ -> ... -> match for the source address 192.168.10.14 |-> match for destination port 80 -> ACCEPT |-> match for the destination port 443 -> ACCEPT -> ... According to me, it works this way : 2/ -> ... -> match source address 192.168.10.14 AND destination port 80 |-> ACCEPT -> match source address 192.168.10.14 AND destination port 443 |-> ACCEPT ->... In the case 1, we check the source address once, and in the second one, twice. So the first case would be quicker to process than the second one where there is no optimalisation. I know what these rules do, but this is just an example, and I know how the user chains work as well :p! -- Franck Joncourt http://www.debian.org - http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: Digital signature