-----Original Message----- From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Jan Engelhardt Sent: Saturday, May 17, 2008 12:36 PM To: Nishit Shah Cc: netfilter@xxxxxxxxxxxxxxx Subject: Re: sequence of matches in a single rule On Saturday 2008-05-17 07:40, Nishit Shah wrote: >Hi, > Is there any specific order in which match will take place ? Yes. For -m conntrack and -m mark however, it does not matter, as no internal state is modified. It does matter however, for example, with -m statistic --mode nth and -m quota. So, can I have that order somewhere mentioned or I need to go through source code ? If I write some of my own match do I have any way to change the match preference ? The reason I am asking is, there are some matches that are CPU incentive and some are not. For an example I prefer -m mark to always take precedence before -m limit or -m hashlimit, something like that.. Or is it more preferable to not use such thing in single rule and prefer 2 iptables rules for that ? Rgds, Nishit Shah. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
