From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: MARK targets all non-terminating Date: Wed, 10 Jan 2007 13:56:05 +0100 Message-ID: <45A4E265.2060600@trash.net> References: <459AA3B2.4010008@shorewall.net> <45A4D7D9.6030208@ufomechanic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Netfilter Developer Mailing List , Amin Azez , Tom Eastep Return-path: To: Jan Engelhardt In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Jan Engelhardt wrote: > On Jan 10 2007 12:11, Amin Azez wrote: > >>It's not just mark and terminate, but mark and return. >>It can be managed with --goto and -j RETURN and a subchain. > > > That is not the issue here. We _do_ want to terminate. Consider this faulty > (shadowing) ruleset: > > -t mangle -A POSTROUTING -s 10.0.0.0 -j CLASSIFY --set-class 1:16 > -t mangle -A POSTROUTING -p tcp -j CLASSIFY --set-class 1:17 > > which will cause TCP traffic to 10.0.0.0 become 1:17 rather than the intended > 1:16. Using an extra chain with ACCEPT solves it, with RETURN: no. It does if you use a subchain as Amin suggested, and it allows you to do additional mangling.