[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: About matching
From:       Patrick Schaaf <bof () bof ! de>
Date:       2005-04-07 5:43:02
Message-ID: 20050407054302.GC20287 () oknodo ! bof ! de
[Download RAW message or body]

Hello Wang Jian,

> I have an idea before, that looks like the following
> 
> 1. A match is marked as dup when insert into chain if it has the same
> match rule with previous;
> 2. When a match gets deleted followed by match marked as dup , do
> housekeeping to make sure the dup relation is correct;
> 3. When a match is hit, if non-return, the following match marked as dup
> is evaluated immediately as hit.
> 
> This can be achieved with a little code. But the problem here is when
> used in mangle table, the target action may make the matching rule false.

The other problem is that there are several kinds of matches that
have direct or indirect side effects when run. Consider -m limit:
if you have two lines directly following each other, both using
only '-m limit --limit 1/s', your dup solution would decide the
limit only once, where the current solution presents two independant
limits of 1/s each. There are several more matches that are like that.

These cases MUST be handled, i.e. dup logic deactivated, because it is
not acceptable to change semantics of established rulesets just for the
sake of efficiency (just my strong opinion).

best regards
  Patrick

[prev in list] [next in list] [prev in thread] [next in thread]