summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_owner.man
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2023-06-01 21:28:28 +0200
committerPhil Sutter <phil@nwl.cc>2023-06-02 13:05:13 +0200
commitf6d6ad24354ecd2997a48ba51b12e7dc34addd15 (patch)
tree5a7534a1f5bcd3d617539c7b96a0b0ecec7d7c37 /extensions/libxt_owner.man
parent4c923250269f9ef4a7b4235f4dc127b04932a8eb (diff)
nft: check for source and destination address in first place
When generating bytecode, check for source and destination address in first place, then, check for the input and output device. In general, the first expression in the rule is the most evaluated during the evaluation process. These selectors are likely to show more variability in rulesets. # iptables-nft -vv -I INPUT -s 1.2.3.4 -p tcp tcp opt -- in * out * 1.2.3.4 -> 0.0.0.0/0 table filter ip flags 0 use 0 handle 0 ip filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0 ip filter INPUT [ payload load 4b @ network header + 12 => reg 1 ] [ cmp eq reg 1 0x04030201 ] [ meta load l4proto => reg 1 ] [ cmp eq reg 1 0x00000006 ] [ counter pkts 0 bytes 0 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/libxt_owner.man')
0 files changed, 0 insertions, 0 deletions