| |
| |
| |
|
Comments:
<0> hello, I have a question about the multiport module
<0> This module defenetly allows for fewer rules and easier maintenance
<0> but on a perfomance point of view, does it provide something?
<0> I mean, does it provide something more than when you specify a list of rules ?
<1> bismuth, if you have other matches on the same rule too, I'd think you could save a few cycles by using multiport vs. several rules with one port (range) each.
<1> Ie., if you're also checking source and/or destination addresses, for instance, then that check would only be done once, rather than for each rule.
<1> The difference is probably hardly noticeable though.
<0> ok, in my case the checks are all the same
<0> when I do a 'iptables -L' I notice that all the ports specified in a rule containing multiport appear on one line
<1> Just as you configured it...
<0> right, so I ***ume netfilter does the check on all the ports in one cycle
<0> (on all the ports specified with the multiport module)
<0> so it should actually be quicker, isn't it ?
<1> Well, yes, all the ports are checked when the multiport module is invoked, when the netfilter framework runs the packet through that one rule.
<1> But if you have, for instance, two rules like -A INPUT -p tcp --dport 22; -A INPUT -p tcp --dport 80, or one rule with multiport, logic would probably dictate that multiport could be a tiny bit quicker, but I don't think you'd notice a difference in most setups.
<1> So it's all academic, really.
<0> I ask this question because I was wondering : is it worth creating a chain with a set of rules for the different services, or using the multiport command (and therefore dont create a user chain)
<0> yes ok I see :-)
<1> Personally, when the difference is as small as it probably is here, I'd probably go with the solution that is easier to maintain later on when you have to look over what you've done and why, 2 months from now :)
<0> ok
<0> thx tirsek
<1> If you only have 5-10 ports anyway, it probably doesn't make much difference.
<0> k
<1> If you have thousands, maybe it's time to rethink the whole setup. ;)
<0> :)
<0> the thing is it more like 16, and multiport allows 15 entries
<0> but i ll see what i ll do
<1> Hehe, ok :)
<1> I think I use it myself, at least. Makes for convenient grouping of what this and that host is allowed to do.
<1> Look, it's the mighty rusty :)
<2> tirsek: Where? Ooh, ohh, I'm *such* a big fan...
<1> ;-)
<3> mandriva mandriva !
<4> gug!
<5> Hi
<5> I patched iptables-1.3.5 with patch-o-matic and when I compile it I get an error "IPT_OSF_CONNECTOR undeclared
<5> it's in libipt_osf_sh. What could I do to fix this?
<6> finally I 've got RTSP to work on 2.6.15, patch at http://www.freenux.org/~mm/rtsp/2.6.15-rtsp.patch, feel free to tell me whether it works or not for you :)
<6> ciao
<5> is it still ok to apply pom-ng patches? because they are so damn old
<7> gug
<8> hi hidden
<9> ah cool, the channel does exist :-) hi! i'm looking for 'unclean' iptables code
<9> but iptables/extensions/libipt_unclean.c looks empty
<9> (parse function just returns 0 :-P)
<9> i'm working on NuFW
<9> i would like to know if packets sent by netfilter to user land are 'valid' (minimum size for udp/tcp packets, ports != 0, ...)
<9> or if it's more secure to recheck in the userland program
<10> gug
<7> gugr
<9> gug?
<7> haypo: the unclean match has no arguments, that's why libipt_unclean.c is so simple :)
<7> haypo: but it definitely looks cool
<7> haypo: gug == 'generic UTC greeting', or something similar :)
<9> ok :)
<9> Hidden: but ... libipt_unclean.c is really toooo small :-)
<9> where is the code !? :)
<7> code? why do you need code? ;)
<9> "I would like to know if packets sent by netfilter to user land are 'valid' (minimum size for udp/tcp packets, ports != 0, ...)"
<9> if i can't trust these packets, i would like to check them
<9> i fear buffer underflow for example
<9> i don't know netfilter things very well, i'm new in netfilter :-)
<7> what do you mean by 'netfilter is sending'? are you using QUEUE?
<9> Hidden: yes
<9> sorry if my question wasn't clear
<9> NuFW is using NF QUEUE or LIBIPQ
<9> my fear is maybe stupid
<9> or i should maybe add a rule in iptables to drop 'unclean' packets
<7> no, don't do that
<9> ok
<9> that's why i would like to know if a function already exist in netfilter to check if a packet is clean or not
<9> i think that i should by in 'unclean' rule, but i can't find unclean code !?
<9> that's why i'm on IRC to asking you where can i find such code :-)
<9> is my question my clear yet?
<7> sure
<9> any idea about my problem?
<9> i have to leave in few minutes (5 or 15min)
<7> haypo: the code of the unclean match is in the kernel
<9> ok
<7> haypo: libipt_unclean.c does only the argument parsing and checking
<7> haypo: so the real code is in net/ipv4/netfilter/ipt_unclean.c in the kernel
<9> can you give me filenames?
<9> ah
<9> linux kernel?
<7> yes
<9> ok
<9> i thaugh that iptables svn repository contains all code
<7> or, if you have linux 2.6 (it's not included in that)
<9> Hidden: thanks, i will check that tomorrow
<7> then you can find the code in pom-ng
<9> pom-ng ?
<7> patch-o-matic NG
<7> use Subversion to check it out from the Netfilter svn repository (see netfilter homepage for details)
<9> i used svn: https://svn.netfilter.org/netfilter/trunk/iptables
<9> what is the right module?
<7> then check out trunk/patch-o-matic-ng as well :)
<7> web interface for svn (really cool for browsing): http://svn.netfilter.org/cgi-bin/viewcvs.cgi/
<9> Hidden: ok, i get ./patch-o-matic-ng/patchlets/unclean/linux-2.6/net/ipv4/netfilter/ipt_unclean.c, looks better ;-)
<9> Hidden: thanks a lot
<9> but now i'm hungry, bye ;-)
<11> hey folks
<12> Hidden : right... it IS tproxy
<7> jengelh: any details?
<7> jengelh: what's the problem exactly?
Return to
#netfilter
or
Go to some related
logs:
ubuntu slapadd bad configuration file
gfxstyler
python2.5 pygtk
mount -t vntfs
what happened to matrixm
error im-switch -s uim_anthy
#bash
Blend.ttf
#qemu
corruptcode
|
|