About matching (also was: Multiple Targets)
Patrick Schaaf
bof at bof.de
Wed Apr 13 08:52:48 CEST 2005
Hello Wang Jian,
> My idea is --previous is pseudo match and will duplicate the previous
> match rule and mark itself a dup. When the previous rule is deleted,
> this one will de-mark the dup, but the matching rule itself still makes
> sense.
Upon deletion, the rule-to-be-deleted is still known in whatever
program is doing the deletion. So the duplication you describe
here does not make sense, even when we would _want_ the --previous
rule to automatically morph into the original rule. No dup marking
needed. Also no copying over matches, or something. Just this logic:
is the rule following the to-be-deleted rule --previous?
NO: proceed as always
YES: delete the --previous rule, and leave the to-be-deleted
rule undisturbed.
A more interesting problem is, what to do with
iptables -A xxx -m this -m that -j DODAD
iptables -A xxx ! --previous
i.e. a not-previous match. Upon deletion of the first of these rules,
how would you go about negating ALL those combined matches to form
a revived, ! --previous replacing rule line? Note: not all matches
even implement negation of all their parameters...
Also see my other mail: I think that all this is too complicated and
too restrictive on the admin of the machine, and should simply NOT
be done. The "more interesting" problem above, seems to confirm
this feeling :)
best regards
Patrick
More information about the netfilter-devel
mailing list