Re: Match packet mark with --set-mark to ip rule fwmark

[Philip Craig <philipc@snapgear.com>]

kaiwen wrote:
> (2)[root@g root]# ip ro show table test2
> prohibit 192.168.8.88
> prohibit 192.168.250.197
> 
> (3) [root@g root]# iptables -t mangle -L
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> MARK       all  --  anywhere             anywhere           MARK set 0x5

But you changed both the IP address for the prohibit *and* the
chain the mark is in.  So you still won't get packets that match
both.  Just change one or the other.

That is, if you want to drop an incoming ping packet, then the
prohibit must specify a local IP, and the mark rule must be in
the PREROUTING chain.  If you want to drop an outgoing ping packet,
then the prohibit must specify a remote IP, and the mark rule must
be in the OUTPUT chain.  You could also just always put the mark
rule in both PREROUTING and OUTPUT.

Here's another option: change the mark rule so that it specifies
the source or destination, and also change the prohibit to be
'prohibit any'.

> Take a look at ip rule, the first rule route all packet to table local,
> which has a route for 192.168.8.0/24. Is it true that once there is one rule
> which match for the packet, it will route according to it. If so, I remove
> the route from table local and put it at table test2, which is
> Configurations B.

Yes, it will use the first route that matches.  Note that moving the
route to table test2 will break routing for packets that don't use
table test2.  You probably want to move it to table main.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com