matching process

matching process

[Art Emius]

Hello netfilter people,

Being concerned about iptables performance I thought about if criteria
number and order in rule does matter. Unfortunately I didn't find much
info about it in the internet, so... here are my questions.

Does criteria number matter? Two example rules are written below.
iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p
icmp -j ACCEPT
Will it take same time to match packet by these rules, or first rule
will take less time?

How does matching process exactly happens?
Let's say we have a rule like:
iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p
udp --dport 123 -j ACCEPT
And packet with
iif=eth1
src=10.10.10.10
dst=10.20.20.20
proto=udp
dport=123

Will netfilter match packet with all criteria specified and make
decision in the end, or it will jump to next rule when first criteria
mismatch happen?

And third question. Is it all fair if using ipset? Will packet be
matched with SET2 if it doesn't match SET1?
iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set
--match-set SET2 dst,dst -j ACCEPT

--
Regards,
Emius

Re: matching process

[Anton Danilov]

Hello Art!

Some types of matches are being checking always.

Look at http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L53

Function ip_packet_match checks the interfaces and protocols, and
fragments always.

Other matches are being checked in the loop, that will be break after
first mismatch
( http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L233
function and
this loop http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L308
)

> Does criteria number matter? Two example rules are written below.
> iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT
> iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p
> icmp -j ACCEPT
> Will it take same time to match packet by these rules, or first rule
> will take less time?

In the both rules --in-interface and --protocol matches will be checked,
but second rule will be take more time, because it checks the addresses.

>
> How does matching process exactly happens?
> Let's say we have a rule like:
> iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p
> udp --dport 123 -j ACCEPT
> And packet with
> iif=eth1
> src=10.10.10.10
> dst=10.20.20.20
> proto=udp
> dport=123
>
> Will netfilter match packet with all criteria specified and make
> decision in the end, or it will jump to next rule when first criteria
> mismatch happen?

The intefaces and protocol will be cheched at first step by
ip_packet_match function.
But after interface mismatch there is the jump at next rule, so
protocol, addresses and
port numbers checking will be skipped.

> And third question. Is it all fair if using ipset? Will packet be
> matched with SET2 if it doesn't match SET1?
> iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set
> --match-set SET2 dst,dst -j ACCEPT

Nope, the packet will not be matches with SET2, if --match-set SET1 src,src
returns the false.


-- 
Anton.

Re: matching process

[Anton Danilov]

Hi Art again.
I've reread the mail and function ip_packet_match source.

And here is match steps:
1. source address
2. destination address
3. input interface
4. output interface
5. next protocol
6. fragment checking
7. other matches.




2016-11-08 11:48 GMT+03:00 Anton Danilov <littlesmilingcloud@gmail.com>:
> Hello Art!
>
> Some types of matches are being checking always.
>
> Look at http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L53
>
> Function ip_packet_match checks the interfaces and protocols, and
> fragments always.
>
> Other matches are being checked in the loop, that will be break after
> first mismatch
> ( http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L233
> function and
> this loop http://lxr.free-electrons.com/source/net/ipv4/netfilter/ip_tables.c#L308
> )
>
>> Does criteria number matter? Two example rules are written below.
>> iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT
>> iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p
>> icmp -j ACCEPT
>> Will it take same time to match packet by these rules, or first rule
>> will take less time?
>
> In the both rules --in-interface and --protocol matches will be checked,
> but second rule will be take more time, because it checks the addresses.
>
>>
>> How does matching process exactly happens?
>> Let's say we have a rule like:
>> iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p
>> udp --dport 123 -j ACCEPT
>> And packet with
>> iif=eth1
>> src=10.10.10.10
>> dst=10.20.20.20
>> proto=udp
>> dport=123
>>
>> Will netfilter match packet with all criteria specified and make
>> decision in the end, or it will jump to next rule when first criteria
>> mismatch happen?
>
> The intefaces and protocol will be cheched at first step by
> ip_packet_match function.
> But after interface mismatch there is the jump at next rule, so
> protocol, addresses and
> port numbers checking will be skipped.
>
>> And third question. Is it all fair if using ipset? Will packet be
>> matched with SET2 if it doesn't match SET1?
>> iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set
>> --match-set SET2 dst,dst -j ACCEPT
>
> Nope, the packet will not be matches with SET2, if --match-set SET1 src,src
> returns the false.
>
>
> --
> Anton.



-- 
Anton.

Re: matching process

[Anton Danilov]

> Does criteria number matter? Two example rules are written below.
> iptables -t filter -A FORWARD -i eth0 -p icmp -j ACCEPT
> iptables -t filter -A FORWARD -i eth1 -s 10.10.10.10 -d 10.20.20.20 -p
> icmp -j ACCEPT
> Will it take same time to match packet by these rules, or first rule
> will take less time?

Both rules take the same time: addresses, interfaces and protocol
matches will be checked.

> How does matching process exactly happens?
> Let's say we have a rule like:
> iptables -t filter -A FORWARD -i eth0 -s 10.10.10.10 -d 10.20.20.20 -p
> udp --dport 123 -j ACCEPT
> And packet with
> iif=eth1
> src=10.10.10.10
> dst=10.20.20.20
> proto=udp
> dport=123
>
> Will netfilter match packet with all criteria specified and make
> decision in the end, or it will jump to next rule when first criteria
> mismatch happen?

In this case will be checked addresses at first place, and match
process will be break
after interface mismatch.

> And third question. Is it all fair if using ipset? Will packet be
> matched with SET2 if it doesn't match SET1?
> iptables -t filter -A FORWARD -m set --match-set SET1 src,src -m set
> --match-set SET2 dst,dst -j ACCEPT

It fairs for any type of matches. A packet will not be matched with
SET2 - after SET1
checking there is a jump at next rule.

>
> --
> Regards,
> Emius
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Anton.