-----Original Message----- From: jengelh@xxxxxxxxxxxxxxxxxxxxxxxxx [mailto:jengelh@xxxxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Jan Engelhardt Sent: Saturday, May 17, 2008 2:06 PM To: Nishit Shah Cc: netfilter@xxxxxxxxxxxxxxx Subject: RE: sequence of matches in a single rule On Saturday 2008-05-17 09:21, Nishit Shah wrote: >>>Hi, >>> Is there any specific order in which match will take place ? >> >>Yes. For -m conntrack and -m mark however, it does not matter, >>as no internal state is modified. It does matter however, >>for example, with -m statistic --mode nth and -m quota. > >So, can I have that order somewhere mentioned or I need to go through source >code ? If I write some of my own match do I have any way to change the match >preference ? This is not decided in source code. The order is defined by you when you pass the -m options to iptables. > The reason I am asking is, there are some matches that are CPU >incentive and some are not. For an example I prefer -m mark to always take >precedence before -m limit or -m hashlimit, something like that.. Correct. Note however, that limit and hashlimit have an internal state. Using -m mark -m hashlimit, hashlimit only gets to see packets of a specific mark, while -m hashlimit -m mark, hashlimit gets to see all packets, and mark only sees packets which successfully passed hashlimit. > Or is it more preferable to not use such thing in single rule and >prefer 2 iptables rules for that ? One rule is much preferred in this case. Thanks for your explanation Jan, Just curious what will happen in case when internal state is modified ? What is the sequence of match when I have, 1.) -m statistic --mode nth and -m quota 2.) -m quota and -m statistic --mode nth 3.) -m statistic --mode nth and -m state 4.) -m state and -m statistic --mode nth Rgds, Nishit Shah. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
