* CLASSIFY target confusion
@ 2005-09-10 18:08 Deepak Seshadri
2005-09-10 19:45 ` /dev/rob0
2005-09-10 19:54 ` vinod_chandran
0 siblings, 2 replies; 3+ messages in thread
From: Deepak Seshadri @ 2005-09-10 18:08 UTC (permalink / raw)
To: netfilter
Hello everybody,
Here is a snippet from my script:
*mangle
-A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router
-A router -j CLASSIFY --set-class 1:21
-A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY --set-class
1:23
-A router -j ACCEPT
As you see above:
- All packets from 10.0.2.x will jump to the chain "router"
- Here it gets classified to TC's class 1:21
- But if the packet matches the layer-7 policy "exe", it will get classified
to TC's class 1:23
- Accepted
What happens is:
Those packets that match the "exe" pattern does not get classified to 1:23.
They still go through 1:21. I thought the packets matching the "exe" pattern
will take the CLASSIFY target mentioned on the third line (1:23). Even
though they match the third rule, they still retain the class 1:21. Could
someone please help me here?
Through conntrack I verified that the connections are being detected by the
exe pattern matching rule but that connection still flows through 1:21
class.
Thank you,
Deepak
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: CLASSIFY target confusion
2005-09-10 18:08 CLASSIFY target confusion Deepak Seshadri
@ 2005-09-10 19:45 ` /dev/rob0
2005-09-10 19:54 ` vinod_chandran
1 sibling, 0 replies; 3+ messages in thread
From: /dev/rob0 @ 2005-09-10 19:45 UTC (permalink / raw)
To: netfilter
On Saturday 2005-September-10 13:08, Deepak Seshadri wrote:
> Here is a snippet from my script:
Perhaps it's a minor and insignificant detail, but the terminology is
wrong; these are iptables-save(8) rules, not a script.
> *mangle
> -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router
> -A router -j CLASSIFY --set-class 1:21
> -A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY
> --set-class 1:23
> -A router -j ACCEPT
>
> As you see above:
> - All packets from 10.0.2.x will jump to the chain "router"
> - Here it gets classified to TC's class 1:21
And at that point they are finished in the mangle table POSTROUTING
chain, and out they go.
> - But if the packet matches the layer-7 policy "exe", it will get
> classified to TC's class 1:23
Unless matched by the first rule, which all traffic does match.
> the class 1:21. Could someone please help me here?
Always assume that any target is a terminating one, unless documented
otherwise. Reverse the order of the first and second rules, and you
will get what you want.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: CLASSIFY target confusion
2005-09-10 18:08 CLASSIFY target confusion Deepak Seshadri
2005-09-10 19:45 ` /dev/rob0
@ 2005-09-10 19:54 ` vinod_chandran
1 sibling, 0 replies; 3+ messages in thread
From: vinod_chandran @ 2005-09-10 19:54 UTC (permalink / raw)
To: Deepak Seshadri; +Cc: netfilter
Hi Deepak,
Give it a try after moving the general rule (1:21) after the specific exe
rule. I am not completely sure whether CLASSIFY target accepts the last
matching rule or the first rule.
Regards,
Vinod C
> Hello everybody,
> Here is a snippet from my script:
>
> *mangle
> -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router
> -A router -j CLASSIFY --set-class 1:21
> -A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY
> --set-class
> 1:23
> -A router -j ACCEPT
>
> As you see above:
> - All packets from 10.0.2.x will jump to the chain "router"
> - Here it gets classified to TC's class 1:21
> - But if the packet matches the layer-7 policy "exe", it will get
> classified
> to TC's class 1:23
> - Accepted
>
> What happens is:
> Those packets that match the "exe" pattern does not get classified to
> 1:23.
> They still go through 1:21. I thought the packets matching the "exe"
> pattern
> will take the CLASSIFY target mentioned on the third line (1:23). Even
> though they match the third rule, they still retain the class 1:21. Could
> someone please help me here?
>
> Through conntrack I verified that the connections are being detected by
> the
> exe pattern matching rule but that connection still flows through 1:21
> class.
>
> Thank you,
> Deepak
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-09-10 19:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-10 18:08 CLASSIFY target confusion Deepak Seshadri
2005-09-10 19:45 ` /dev/rob0
2005-09-10 19:54 ` vinod_chandran
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.