All of lore.kernel.org
 help / color / mirror / Atom feed
* CLASSIFY target confusion
@ 2005-09-10 18:08 Deepak Seshadri
  2005-09-10 19:45 ` /dev/rob0
  2005-09-10 19:54 ` vinod_chandran
  0 siblings, 2 replies; 3+ messages in thread
From: Deepak Seshadri @ 2005-09-10 18:08 UTC (permalink / raw)
  To: netfilter

Hello everybody,
Here is a snippet from my script:

*mangle
-A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router
-A router -j CLASSIFY --set-class 1:21
-A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY --set-class 
1:23
-A router -j ACCEPT

As you see above:
- All packets from 10.0.2.x will jump to the chain "router"
- Here it gets classified to TC's class 1:21
- But if the packet matches the layer-7 policy "exe", it will get classified 
to TC's class 1:23
- Accepted

What happens is:
Those packets that match the "exe" pattern does not get classified to 1:23. 
They still go through 1:21. I thought the packets matching the "exe" pattern 
will take the CLASSIFY target mentioned on the third line (1:23). Even 
though they match the third rule, they still retain the class 1:21. Could 
someone please help me here?

Through conntrack I verified that the connections are being detected by the 
exe pattern matching rule but that connection still flows through 1:21 
class.

Thank you,
Deepak 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: CLASSIFY target confusion
  2005-09-10 18:08 CLASSIFY target confusion Deepak Seshadri
@ 2005-09-10 19:45 ` /dev/rob0
  2005-09-10 19:54 ` vinod_chandran
  1 sibling, 0 replies; 3+ messages in thread
From: /dev/rob0 @ 2005-09-10 19:45 UTC (permalink / raw)
  To: netfilter

On Saturday 2005-September-10 13:08, Deepak Seshadri wrote:
> Here is a snippet from my script:

Perhaps it's a minor and insignificant detail, but the terminology is 
wrong; these are iptables-save(8) rules, not a script.

> *mangle
> -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router
> -A router -j CLASSIFY --set-class 1:21
> -A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY
> --set-class 1:23
> -A router -j ACCEPT
>
> As you see above:
> - All packets from 10.0.2.x will jump to the chain "router"
> - Here it gets classified to TC's class 1:21

And at that point they are finished in the mangle table POSTROUTING 
chain, and out they go.

> - But if the packet matches the layer-7 policy "exe", it will get
> classified to TC's class 1:23

Unless matched by the first rule, which all traffic does match.

> the class 1:21. Could someone please help me here?

Always assume that any target is a terminating one, unless documented 
otherwise. Reverse the order of the first and second rules, and you 
will get what you want.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: CLASSIFY target confusion
  2005-09-10 18:08 CLASSIFY target confusion Deepak Seshadri
  2005-09-10 19:45 ` /dev/rob0
@ 2005-09-10 19:54 ` vinod_chandran
  1 sibling, 0 replies; 3+ messages in thread
From: vinod_chandran @ 2005-09-10 19:54 UTC (permalink / raw)
  To: Deepak Seshadri; +Cc: netfilter

Hi Deepak,

Give it a try after moving the general rule (1:21) after the specific exe
rule. I am not completely sure whether CLASSIFY target accepts the last
matching rule or the first rule.

Regards,
Vinod C


> Hello everybody,
> Here is a snippet from my script:
>
> *mangle
> -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router
> -A router -j CLASSIFY --set-class 1:21
> -A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY
> --set-class
> 1:23
> -A router -j ACCEPT
>
> As you see above:
> - All packets from 10.0.2.x will jump to the chain "router"
> - Here it gets classified to TC's class 1:21
> - But if the packet matches the layer-7 policy "exe", it will get
> classified
> to TC's class 1:23
> - Accepted
>
> What happens is:
> Those packets that match the "exe" pattern does not get classified to
> 1:23.
> They still go through 1:21. I thought the packets matching the "exe"
> pattern
> will take the CLASSIFY target mentioned on the third line (1:23). Even
> though they match the third rule, they still retain the class 1:21. Could
> someone please help me here?
>
> Through conntrack I verified that the connections are being detected by
> the
> exe pattern matching rule but that connection still flows through 1:21
> class.
>
> Thank you,
> Deepak
>




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-09-10 19:54 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-10 18:08 CLASSIFY target confusion Deepak Seshadri
2005-09-10 19:45 ` /dev/rob0
2005-09-10 19:54 ` vinod_chandran

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.