|
I'm trying to understand
the beginning execution of 'ipt_do_table()', please let me know if I'm
wrong. When the code enters the 'ip_packet_match()' function inside the
'do loop', the first thing that the firewall does is to check on the source
and destination address of the packet against one specific rule, am I right?
For example, if I only have
one rule with INPUT ACCEPT:
iptables -A INPUT -s
192.168.24.2 -j DROP
if the destination address
matches the address it will return 0, then exit 'ip_packet_match()' and jump to
'no_match:' inside 'ipt_do_table()' right? What if it does not match?
----
On the other
hand... if I
have no rules to filter ip addresses, only one rule to filter one TCP port, then
the code for 'ip_packet_match()' will not match anything, return a 1, and enter
the "if statement" of 'ipt_do_table' ... 'ipt_do_table' will execute
the IPT_MATCH_ITERATE macro, wich jumps to the function 'do_match' .
How does IPT_MATCH_ITERATE know that you want to filter a TCP port and not a MAC
addresses? who carries this info (the 'e' structure)?
Thank you!
Americo
|
- Re: ip_packet_match Americo Melara
- Re: ip_packet_match Harald Welte
