git.ipfire.org Git - thirdparty/iptables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 1 Jun 2023 19:28:28 +0000 (21:28 +0200)
committer	Phil Sutter <phil@nwl.cc>
	Fri, 2 Jun 2023 11:05:13 +0000 (13:05 +0200)
commit	f6d6ad24354ecd2997a48ba51b12e7dc34addd15
tree	5a7534a1f5bcd3d617539c7b96a0b0ecec7d7c37	tree \| snapshot
parent	4c923250269f9ef4a7b4235f4dc127b04932a8eb	commit \| diff

nft: check for source and destination address in first place

When generating bytecode, check for source and destination address in
first place, then, check for the input and output device. In general,
the first expression in the rule is the most evaluated during the
evaluation process. These selectors are likely to show more variability
in rulesets.

# iptables-nft -vv -I INPUT -s 1.2.3.4 -p tcp
  tcp opt -- in * out *  1.2.3.4  -> 0.0.0.0/0
table filter ip flags 0 use 0 handle 0
ip filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0
ip filter INPUT
  [ payload load 4b @ network header + 12 => reg 1 ]
  [ cmp eq reg 1 0x04030201 ]
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
  [ counter pkts 0 bytes 0 ]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>

iptables/nft-bridge.c		diff \| blob \| blame \| history
iptables/nft-ipv4.c		diff \| blob \| blame \| history
iptables/nft-ipv6.c		diff \| blob \| blame \| history