PATCH: new match: userindex

Ferry Huberts ferry at
Wed Dec 8 16:02:51 CET 2004

> On Wed, Dec 08, 2004 at 03:04:09PM +0100, Ferry Huberts wrote:
>> >> Kernel module for attaching a user specified index to a rule.
>> >> It matches every packet in order to have no influence on packet
>> >> matching,
>> >> the only effect is to add a user index to a rule
>> >
>> > I think this is already covered - in extended form, i.e. arbitrary
>> string
>> > instead of an integer - by the comment match, found in patch-o-matic.
>> I know, but I needed a leaner module
> Did you have performance / memory consumption issues with comment,
> that you won't have with your new module?
>> Also, using a number is much simpler, at least for me :-)
> There's nothing stopping you from putting a number (ASCII formatted)
> into the comment string. Per match, this will waste roughly NR_CPU*252
> byte.

ok. good point.
however, currently I can have up to 200 rules (with a big question for
more rules in future developments)
This currently means

comment:   252 * 200 = 50400 bytes
userindex:   4 * 200 =   800 bytes
ratio c/u:  63

and yes, main memory is rather limited on the target

I also think that this userindex is a much simpler solution and therefore
more elegant.

I implemented it in order to have functionality I think iptables should
have by default: unique rule numbers that do not change once a rule is
configured (primary keys to spreak in relational database terms).
You can now list rule numbers but they change when rules are inserted or

This match allows me to be stateless w.r.t. peer information (which save
memory, rather important for me)

> How many annotations do you need? Is your main memory really that
> constrained?
> best regards
>   Patrick

Ferry Huberts

More information about the netfilter-devel mailing list