Re: matching process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Art!

Some types of matches are being checking always.

Look at http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L53

Function ip_packet_match checks the interfaces and protocols, and
fragments always.

Other matches are being checked in the loop, that will be break after
first mismatch
( http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L233
function and
this loop http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L308
)

> Does criteria number matter? Two example rules are written below.
> iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT
> iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p
> icmp -j ACCEPT
> Will it take same time to match packet by these rules, or first rule
> will take less time?

In the both rules --in-interface and --protocol matches will be checked,
but second rule will be take more time, because it checks the addresses.

>
> How does matching process exactly happens?
> Let's say we have a rule like:
> iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p
> udp --dport 123 -j ACCEPT
> And packet with
> iif=eth1
> src=10.10.10.10
> dst=10.20.20.20
> proto=udp
> dport=123
>
> Will netfilter match packet with all criteria specified and make
> decision in the end, or it will jump to next rule when first criteria
> mismatch happen?

The intefaces and protocol will be cheched at first step by
ip_packet_match function.
But after interface mismatch there is the jump at next rule, so
protocol, addresses and
port numbers checking will be skipped.

> And third question. Is it all fair if using ipset? Will packet be
> matched with SET2 if it doesn't match SET1?
> iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set
> --match-set SET2 dst,dst -j ACCEPT

Nope, the packet will not be matches with SET2, if --match-set SET1 src,src
returns the false.


-- 
Anton.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux