MARK targets all non-terminating
Patrick McHardy
kaber at trash.net
Wed Jan 10 13:56:05 CET 2007
Jan Engelhardt wrote:
> On Jan 10 2007 12:11, Amin Azez wrote:
>
>>It's not just mark and terminate, but mark and return.
>>It can be managed with --goto and -j RETURN and a subchain.
>
>
> That is not the issue here. We _do_ want to terminate. Consider this faulty
> (shadowing) ruleset:
>
> -t mangle -A POSTROUTING -s 10.0.0.0 -j CLASSIFY --set-class 1:16
> -t mangle -A POSTROUTING -p tcp -j CLASSIFY --set-class 1:17
>
> which will cause TCP traffic to 10.0.0.0 become 1:17 rather than the intended
> 1:16. Using an extra chain with ACCEPT solves it, with RETURN: no.
It does if you use a subchain as Amin suggested, and it allows you to
do additional mangling.
More information about the netfilter-devel
mailing list