Re: [PATCH] iptables: new strict host model match
From: Stephen Hemminger <hidden>
Date: 2009-02-28 02:10:09
Also in:
netfilter-devel
On Sat, 28 Feb 2009 02:53:10 +0100 (CET) Jan Engelhardt [off-list ref] wrote:
On Friday 2009-02-27 04:23, Stephen Hemminger wrote:quoted
quoted
quoted
+static struct xt_match strict_mt_reg __read_mostly = { + .name = "strict", + .family = NFPROTO_IPV4, + .match = strict_mt, + .matchsize = 0, + .me = THIS_MODULE, +};The match seems to make the most sense where an input device is available, so .hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD) should probably be added.Then routing wouldn't work...
I suppose it could be useful to to different chains for routed vs non-routed packets on pre-routing chain, but on forward chain it wouldn't really do anything useful.