Hello Harald,
On Friday 05 July 2002 07:58, Harald Welte wrote:
> [...]
> yes. But then, how do we distinguish between terminating targets [where
> we can have only one per rule] and non-terminating targets AKA actions,
> where we can have multiple.
You could just add a boolean field 'terminating' to the iptables_target.
Then, make sure iptables abort and complains if it sees more than one terminating
target being requested in a single rule.
Iptables could even give a warning (and reorder on the fly if necessary) if a
terminating target is found before a non-terminating target.
For example, the iptables_target struct of the TTL target would become :
static
struct iptables_target TTL = { NULL,
"TTL",
IPTABLES_VERSION,
IPT_ALIGN(sizeof(struct ipt_TTL_info)),
IPT_ALIGN(sizeof(struct ipt_TTL_info)),
&help,
&init,
&parse,
&final_check,
&print,
&save,
- opts
+ opts,
+ 0 /* target is NOT terminating*/
};
and the iptables_target struct of the REJECT target would become :
static
struct iptables_target reject
= { NULL,
"REJECT",
IPTABLES_VERSION,
IPT_ALIGN(sizeof(struct ipt_reject_info)),
IPT_ALIGN(sizeof(struct ipt_reject_info)),
&help,
&init,
&parse,
&final_check,
&print,
&save,
- opts
+ opts,
+ 1 /* target is terminating */
};
But now, if you don't want to use the match piggybacking trick that Jozsef & Henrik
mentionned, then we can't implement that right now.
Do you think multiple targets is worth including in the design of the next
netfilter framework ?
I bielieve we should do that, multiple actions for one condition is very natural,
and I believe the usage of a custom chain for each of theses rules is a bit overkill..
Any thoughts ?
Fabrice.
--
Fabrice MARIE
Senior R&D Engineer
Celestix Networks
http://www.celestix.com/
"Silly hacker, root is for administrators"
-Unknown
