Marking packets: order is important?

Marking packets: order is important?

[Arrizabalaga, Saioa]

I am analysing the script written in the ADSL-Bandwith-Management-HOWTO
I found in www.tldp.org.

It marks all the packets depending on the ports they use, for example:

iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 \
-j MARK --set-mark 23     # Default for low port traffic 
iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 20 \
-j MARK --set-mark 26     # ftp-data port, low prio

But as far as I can see, the packet that matches the second rule,
matches the first rule as well, so, I guess that when this packet is
marked by the first rule (--set-mark 23), follows the chain, sees that
it also matches the second rule and then it is marked again with the new
value(--set-mark 26). 

I would like someone to confirm this. If all this is true, the most
specific rules should be placed at the end, am I right?

Regards,

Saioa Arrizabalaga 

Re: Marking packets: order is important?

[George Alexandru Dragoi]

Yes, as the comments say, the first rule just make sure everything
gets marked with 23, unless the packets also match the next rules, and
they are marked again. the MARK target does not stop the packets
"walking" throught the chain, only DROP, ACCEPT, RETURN and others,
but these 3 are most used.

On Thu, 16 Sep 2004 10:51:16 +0200, Arrizabalaga, Saioa
<sarrizabalaga@ceit.es> wrote:
> 
> I am analysing the script written in the ADSL-Bandwith-Management-HOWTO
> I found in www.tldp.org.
> 
> It marks all the packets depending on the ports they use, for example:
> 
> iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 \
> -j MARK --set-mark 23     # Default for low port traffic
> iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 20 \
> -j MARK --set-mark 26     # ftp-data port, low prio
> 
> But as far as I can see, the packet that matches the second rule,
> matches the first rule as well, so, I guess that when this packet is
> marked by the first rule (--set-mark 23), follows the chain, sees that
> it also matches the second rule and then it is marked again with the new
> value(--set-mark 26).
> 
> I would like someone to confirm this. If all this is true, the most
> specific rules should be placed at the end, am I right?
> 
> Regards,
> 
> Saioa Arrizabalaga
> 
> 



-- 
Bla bla

Re: Marking packets: order is important?

[Jose Maria Lopez]

El jue, 16 de 09 de 2004 a las 10:51, Arrizabalaga, Saioa escribió:
> I am analysing the script written in the ADSL-Bandwith-Management-HOWTO
> I found in www.tldp.org.
> 
> It marks all the packets depending on the ports they use, for example:
> 
> iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 \
> -j MARK --set-mark 23     # Default for low port traffic 
> iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 20 \
> -j MARK --set-mark 26     # ftp-data port, low prio
> 
> But as far as I can see, the packet that matches the second rule,
> matches the first rule as well, so, I guess that when this packet is
> marked by the first rule (--set-mark 23), follows the chain, sees that
> it also matches the second rule and then it is marked again with the new
> value(--set-mark 26). 
> 
> I would like someone to confirm this. If all this is true, the most
> specific rules should be placed at the end, am I right?
> 
> Regards,
> 
> Saioa Arrizabalaga 

Yes, you are right, the last mark is the one that remains
when the last rule is applied, so you must order your mark
rules from the more general to the more specific ones.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"