diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-06-01 21:28:28 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-06-02 13:05:13 +0200 |
| commit | f6d6ad24354ecd2997a48ba51b12e7dc34addd15 (patch) | |
| tree | 5a7534a1f5bcd3d617539c7b96a0b0ecec7d7c37 /extensions/libip6t_DNAT.c | |
| parent | 4c923250269f9ef4a7b4235f4dc127b04932a8eb (diff) | |
When generating bytecode, check for source and destination address in
first place, then, check for the input and output device. In general,
the first expression in the rule is the most evaluated during the
evaluation process. These selectors are likely to show more variability
in rulesets.
# iptables-nft -vv -I INPUT -s 1.2.3.4 -p tcp
tcp opt -- in * out * 1.2.3.4 -> 0.0.0.0/0
table filter ip flags 0 use 0 handle 0
ip filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0
ip filter INPUT
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ counter pkts 0 bytes 0 ]
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/libip6t_DNAT.c')
0 files changed, 0 insertions, 0 deletions