On Saturday 2009-02-28 03:10, Stephen Hemminger wrote:

quoted

On Friday 2009-02-27 04:23, Stephen Hemminger wrote:

quoted

quoted

quoted

+static struct xt_match strict_mt_reg __read_mostly = {
+	.name		= "strict",
+	.family		= NFPROTO_IPV4,
+	.match		= strict_mt,
+	.matchsize	= 0,
+	.me		= THIS_MODULE,
+};

The match seems to make the most sense where an input device
is available, so

	.hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) |
	         (1 << NF_INET_FORWARD)

should probably be added.

Then routing wouldn't work...

I suppose it could be useful to to different chains for routed vs non-routed
packets on pre-routing chain, but on forward chain it wouldn't really
do anything useful.

...Ok? The hooks mask limits the use of the match to - true to its name -
hooks, so it is implies permitting the use of the match in the
PREROUTING/INPUT/FORWARD chain and chains called from it, as long as
no unlisted chain has a reference to it too. This is how most other
modules, e.g. xt_mac, act too.

Since xt_strict inspects in_dev, and in_dev is not available in
OUTPUT/POSTROUTING, I was suggesting to just limit its use to the
chains where in_dev != NULL.
Or did I misunderstood you?