> Does criteria number matter? Two example rules are written below. > iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT > iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p > icmp -j ACCEPT > Will it take same time to match packet by these rules, or first rule > will take less time? Both rules take the same time: addresses, interfaces and protocol matches will be checked. > How does matching process exactly happens? > Let's say we have a rule like: > iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p > udp --dport 123 -j ACCEPT > And packet with > iif=eth1 > src=10.10.10.10 > dst=10.20.20.20 > proto=udp > dport=123 > > Will netfilter match packet with all criteria specified and make > decision in the end, or it will jump to next rule when first criteria > mismatch happen? In this case will be checked addresses at first place, and match process will be break after interface mismatch. > And third question. Is it all fair if using ipset? Will packet be > matched with SET2 if it doesn't match SET1? > iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set > --match-set SET2 dst,dst -j ACCEPT It fairs for any type of matches. A packet will not be matched with SET2 - after SET1 checking there is a jump at next rule. > > -- > Regards, > Emius > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
