On Tue, 2009-04-28 at 11:21 +0200, Oskar Berggren wrote: > Hello, > > is it possible to have iptables query a set of some sort to quickly > look up a chain to jump to for a specific packet? > > For example the set would contain a mapping from ip-address -> > chain-name. Then the destination address is looked up in the set and > iptables would jump to the specified chain. > > Is it possible, or how difficult would it be to implement something > like this? I'd imagine it would be implemented as a target, that would > have the ability to "redirect" to another target, which would be a > chain. > > > /Oskar Hi Oskar, to my knowledge there is no current such functionality. But I second the usefulness of such a function. It would be especially useful to replace traditional "match trees" of today, to reach down to a per customer-chain for inwards and outwards matching. It seems like it would be beneficial to let it be very similar to the ipset of today, in that you would be very well of in having multiple such sets to jump to as a target. Thus you could easily use normal matchings to decide whether or not to perform this sort of look-up. It would be useful if each such set would contain the possibility to match on either source address/netmask and destination address/netmask. This all begs the question on how effective some tree structure with -g is implemented, to figure out how much of a performance benefit such a new target would have over a treelike chain structure. It would indeed be useful to have it all as a single target however, save a lot of rules and also be much more readable. Is it possible to easily extend ipset to perform this? More input appreciated. Regards, -- Martin Millnert <millnert@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part