Hello netfilter people, Being concerned about iptables performance I thought about if criteria number and order in rule does matter. Unfortunately I didn't find much info about it in the internet, so... here are my questions. Does criteria number matter? Two example rules are written below. iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p icmp -j ACCEPT Will it take same time to match packet by these rules, or first rule will take less time? How does matching process exactly happens? Let's say we have a rule like: iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p udp --dport 123 -j ACCEPT And packet with iif=eth1 src=10.10.10.10 dst=10.20.20.20 proto=udp dport=123 Will netfilter match packet with all criteria specified and make decision in the end, or it will jump to next rule when first criteria mismatch happen? And third question. Is it all fair if using ipset? Will packet be matched with SET2 if it doesn't match SET1? iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set --match-set SET2 dst,dst -j ACCEPT -- Regards, Emius -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
