On 28.02.2010 14:59, netfilter-owner@xxxxxxxxxxxxxxx wrote: > > > On 02/28/2010 01:54 AM, Mart Frauenlob wrote: >>> > I dont want to test over (( and over ) and over ) again when I >>> know that >>> > the packet is already KNOWN to be from eth1 and of protocol UDP. >> now if we add -p icmp -j PRE_UDP, what should iptables do now? >> >> use 'ferm' if you are too lazy to write iptables rules: >> http://ferm.foo-projects.org/ >> >>> > > Do what *I* say it should be doing. Do the jump. None of the tests in > PRE_UDP chain would/should match, and the packet should fall out by the > default policy of the chain. An iptable optimizer would recognize that > the chain only tests for UDP, and would change the -p icmp -j PRE_UDP to > -p icmp -j $(default policy) without going through any of the chain. which of the 2 jumps is to give precedence? how to judge? read your mind? > > BTW: its not lazy to write efficient code. ok, don't be lazy write the netfilter chain/jump optimizer :) Because such a thing does not exist, netfilter will not do what you want. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
