MARK targets all non-terminating?

MARK targets all non-terminating?

[Jan Engelhardt]

Hello list,


I just noticed that the CLASSIFY and MARK targets are non-terminating 
(as are CONNSECMARK and SECMARK as I grep). Even though that is probably 
the intended default thing, I have one setup where the following rules 
are present:

-t mangle -A POSTROUTING -p icmp -j CLASSIFY --set-class 1:10
-t mangle -A POSTROUTING -p udp -j CLASSIFY --set-class 1:11
-t mangle -A POSTROUTING -p tcp -j CLASSIFY --set-class 1:12
-t mangle -A POSTROUTING -j CLASSIFY --set-class 1:20

All packets get classified as 1:20. Per source code of xt_CLASSIFY.c 
this is justified. So what I would need is (awkward construct ahead!)

-t mangle -A POSTROUTING -p icmp -j CLASSIFY --set-class 1:10
-t mangle -A POSTROUTING -p icmp -j RETURN
-t mangle -A POSTROUTING -p udp -j CLASSIFY --set-class 1:11
-t mangle -A POSTROUTING -p udp -j RETURN
-t mangle -A POSTROUTING -p tcp -j CLASSIFY --set-class 1:12
-t mangle -A POSTROUTING -p tcp -j RETURN
-t mangle -A POSTROUTING -j CLASSIFY --set-class 1:20

Is not there a better way to do this without specifying all matches twice?


	-`J'
-- 

Re: MARK targets all non-terminating?

[Tom Eastep]

[-- Attachment #1: Type: text/plain, Size: 371 bytes --]

Jan Engelhardt wrote:

> 
> Is not there a better way to do this without specifying all matches twice?
> 

Put the default rule first.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: MARK targets all non-terminating?

[Jan Engelhardt]

On Dec 6 2006 12:29, Tom Eastep wrote:
>Jan Engelhardt wrote:
>> 
>> Is not there a better way to do this without specifying all matches twice?
>
>Put the default rule first.

Heh, okay. That example was probably just an example.
This is the actual ruleset, so what could be a good approach - one 
without creating extra chains perhaps?

-A POSTROUTING -p icmp -m icmp --icmp-type any -j CLASSIFY --set-class 0001:0010 
-A POSTROUTING -p icmp -m state --state RELATED -j CLASSIFY --set-class 0001:0010 
-A POSTROUTING -p tcp -m tcp -m multiport --dports 53,123 -j CLASSIFY --set-class 0001:0010 
-A POSTROUTING -p udp -m udp -m multiport --dports 53,500 -j CLASSIFY --set-class 0001:0010 
-A POSTROUTING -p ah -j CLASSIFY --set-class 0001:0010 
-A POSTROUTING -d 192.168.254.200 -j CLASSIFY --set-class 0001:0011 
-A POSTROUTING -s 192.168.254.200 -j CLASSIFY --set-class 0001:0011 
-A POSTROUTING -p tcp -m tcp --dport 22 -j CLASSIFY --set-class 0001:0012 
-A POSTROUTING -p tcp -m tcp --dport 5900:5909 -j CLASSIFY --set-class 0001:0013 
-A POSTROUTING -p tcp -m tcp -m multiport --dports 1494,3389 -j CLASSIFY --set-class 0001:0013 
-A POSTROUTING -m state --state RELATED -j CLASSIFY --set-class 0001:0013 
-A POSTROUTING -p tcp -m tcp -m multiport --dports 443,80 -j CLASSIFY --set-class 0001:0014 
-A POSTROUTING -p tcp -m tcp -m multiport --dports 995,993,465,25,110,143 -j CLASSIFY --set-class 0001:0015 
-A POSTROUTING -p tcp -m tcp --dport 21 -j CLASSIFY --set-class 0001:0016 
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j CLASSIFY --set-class 0001:0016 


	-`J'
--