Re: matching process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Art again.
I've reread the mail and function ip_packet_match source.

And here is match steps:
1. source address
2. destination address
3. input interface
4. output interface
5. next protocol
6. fragment checking
7. other matches.




2016-11-08 11:48 GMT+03:00 Anton Danilov <littlesmilingcloud@xxxxxxxxx>:
> Hello Art!
>
> Some types of matches are being checking always.
>
> Look at http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L53
>
> Function ip_packet_match checks the interfaces and protocols, and
> fragments always.
>
> Other matches are being checked in the loop, that will be break after
> first mismatch
> ( http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L233
> function and
> this loop http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L308
> )
>
>> Does criteria number matter? Two example rules are written below.
>> iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT
>> iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p
>> icmp -j ACCEPT
>> Will it take same time to match packet by these rules, or first rule
>> will take less time?
>
> In the both rules --in-interface and --protocol matches will be checked,
> but second rule will be take more time, because it checks the addresses.
>
>>
>> How does matching process exactly happens?
>> Let's say we have a rule like:
>> iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p
>> udp --dport 123 -j ACCEPT
>> And packet with
>> iif=eth1
>> src=10.10.10.10
>> dst=10.20.20.20
>> proto=udp
>> dport=123
>>
>> Will netfilter match packet with all criteria specified and make
>> decision in the end, or it will jump to next rule when first criteria
>> mismatch happen?
>
> The intefaces and protocol will be cheched at first step by
> ip_packet_match function.
> But after interface mismatch there is the jump at next rule, so
> protocol, addresses and
> port numbers checking will be skipped.
>
>> And third question. Is it all fair if using ipset? Will packet be
>> matched with SET2 if it doesn't match SET1?
>> iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set
>> --match-set SET2 dst,dst -j ACCEPT
>
> Nope, the packet will not be matches with SET2, if --match-set SET1 src,src
> returns the false.
>
>
> --
> Anton.



-- 
Anton.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux