MARK targets all non-terminating
Jan Engelhardt
jengelh at linux01.gwdg.de
Wed Jan 10 15:00:22 CET 2007
On Jan 10 2007 13:56, Patrick McHardy wrote:
>>
>> -t mangle -A POSTROUTING -s 10.0.0.0 -j CLASSIFY --set-class 1:16
>> -t mangle -A POSTROUTING -p tcp -j CLASSIFY --set-class 1:17
>>
>> which will cause TCP traffic to 10.0.0.0 become 1:17 rather than the intended
>> 1:16. Using an extra chain with ACCEPT solves it, with RETURN: no.
>
>It does if you use a subchain as Amin suggested, and it allows you to
>do additional mangling.
Well the problem with RETURN is that you may run into another MARK or
CLASSIFY (see above) which is not intended. You actually resurfaced an
idea of mine, namely... consider this:
-s IP -j MARK --set-mark 17
-p tcp -j MARK --set-mark 18
to make them not overlap, one could use
-p tcp -m mark --mark 0 -j MARK --set-mark 18
But unfortunately, there is no "classify" match for the CLASSIFY case.
What now? You don't really want to matrixify all possibilities -
consider:
-s IP1 -j MARK --set-mark 17 --term
-d IP2 -j MARK --set-mark 18 --term
-p tcp --dport 22 -j MARK --set-mark 19 --term
-p tcp -j MARK --set-mark 20 --term
then you would need to matrixify it where '--term' is not available
-s -d tcp? 22? action
ip1 ip2 y y MARK 17
ip1 ip2 y n MARK 17
ip1 ip2 n y MARK 17
ip1 ip2 n n MARK 17
ip1 !ip2 ... .. MARK 17
!ip1
.
.
leading to
-s IP1 ! -d IP2 -j MARK --set-mark 17
! -s IP1 -d IP2 -j MARK --set-mark 18
! -s IP1 ! -d IP2 -p tcp --dport 22 -j MARK --set-mark 19
! -s IP1 ! -d IP2 -p tcp ! --dport 22 -j MARK --set-mark 20
well, this obviously becomes ugly quickly.
Phew, I hope I did not mix up anything.
-`J'
--
More information about the netfilter-devel
mailing list