From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sven Schuster Subject: Re: MARK and ! question Date: Thu, 26 Jun 2003 17:22:19 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3EFB0FAB.2010105@gmx.de> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Chris Wilson Cc: Ruslan Spivak , netfilter@lists.netfilter.org Chris Wilson wrote: >I think the ruleset above is wrong: the '!' should not be present here. >Allow me to explain the packet traversal when the same rules are used, but >with "!" removed: > > Yeah you're right, sorry...need more coffee ;-)) >iptables -t mangle -N setmark >iptables -t mangle -A setmark -s 193.220.70.0/27 -d 193.220.70.32/27 \ > -j RETURN >iptables -t mangle -A setmark -s 193.108.240.0/22 -d 193.220.70.32/27 \ > -j RETURN >iptables -t mangle -A setmark -j MARK --set-mark 107 >iptables -t mangle -A POSTROUTING -j setmark > >1. Packet enters POSTROUTING >2. Packet jumps to "setmark" chain >3. Packets having source address matching "193.220.70.0/27" are RETURNed > to POSTROUTING >4. Packets having source address matching "193.108.240.0/22" are RETURNed > to POSTROUTING >5. (now ONLY packets which do NOT have either of these source addresses > are still in the "setmark" chain) >6. All packets (still in the "setmark" chain) are marked with 107 >7. Packets fall off the end of the "setmark" chain and return to > POSTROUTING (but they are now marked) >8. Packets fall of the end of POSTROUTING and continue through the kernel > (presumably to be delivered to a network device) > >Cheers, Chris. > Sven