[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: About matching
From:       Patrick Schaaf <bof () bof ! de>
Date:       2005-04-07 6:43:23
Message-ID: 20050407064323.GE20287 () oknodo ! bof ! de
[Download RAW message or body]

Hmm, regarding --previous... Do we have two bits spare in the
general rule structure, which could indicate 'match just like
the previous match did', and 'match exactly if the previous
match did NOT match'?

It we do have such bits spare, a general --previous-matched
and --previous-failed syntax might be easier than a new match
with signature change or percpu variables: all decision logic
stays properly localized in the table scanning main loop.

BTW, it just occurred to be that --previous-failed, a logical
consequence of the --previous idea :), is a nice thing to
have by itself: it permits proper if/then/else semantics
for nonterminating targets!

iptables -A xxx -m this -m that -j LOG --log-prefix "thisandthat: "
iptables -A xxx --previous-failed -j LOG --log-prefix "NOT-thisandthat: "

best regards
  Patrick

[prev in list] [next in list] [prev in thread] [next in thread]