From: Andrew Beverley <andy@andybev.com>
To: E2IA <e2ia.ci@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: mark and accept in a single rule
Date: Sun, 20 Feb 2011 17:18:30 +0000 [thread overview]
Message-ID: <1298222310.12048.40.camel@andybev> (raw)
In-Reply-To: <AANLkTimO0tqE4ftCtBLv1n+X6hdJqQANEh7vicz_NL50@mail.gmail.com>
On Sun, 2011-02-20 at 16:10 +0000, E2IA wrote:
>
> 2011/2/20 Andrew Beverley <andy@andybev.com>:
> > On Sun, 2011-02-20 at 15:13 +0000, E2IA wrote:
> >> Hi all i'd like to know if it is possible to mark packet and accept in
> >> the single iptable rule.
> >
> > There shouldn't be any need to do this.
> >
> >> i've these 2 rules:
> >>
> >> /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7
> >> --l7proto yahoo -j MARK --set-mark 74
> >> /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark
> >> 74 -j ACCEPT
> >>
> >> but it seam that the second rule is never match.
> >
> > The second rule *should* be matched. What makes you think that it is
> > not? Remember: a packet ACCEPTed in one chain can be DROPed later.
> >
> > It might be worth you posting your complete set of rules.
> >
[ Top posting fixed ]
> Hi here is my complete rule set:
> #!/bin/bash
> #script Shapping marker config
> /usr/local/sbin/iptables -t mangle -F FORWARD
> /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7
> --l7proto yahoo -j MARK --set-mark 74
> /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark 74
> -j ACCEPT
<snip>
> /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7
> --l7proto http -j MARK --set-mark 9
> /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark 9 -j ACCEPT
<snip>
> /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7
> --l7proto finger -j MARK --set-mark 6
> /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark 6 -j ACCEPT
> /usr/local/sbin/iptables -t mangle -A FORWARD -j ACCEPT
> # End
>
> When doing yahoo messenger it is http, skype and finger witch are
> match enven yahoo is the first rule.
> but when i keep yahoo rule alone yahoo is mach when doing yahoo messenger.
>
It's been a while since I played with l7-filter, but I suppose it could
be something to do with the way that it is classifying packets (it
sometimes has to see a significant amount of data before it matches some
protocols).
You might want to try the following for your rules instead, but if your
problem is something to do with l7-filter then it may not help:
iptables -t mangle -A FORWARD -m mark --mark 0 \
-m layer7 --l7proto yahoo -j MARK --set-mark 74
iptables -t mangle -A FORWARD -m mark --mark 0 \
-m layer7 --l7proto http -j MARK --set-mark 9
This will only match and mark packets if they haven't already been
marked. The disadvantage of this is that all packets will traverse all
rules making it less efficient.
If you still can't get it to work, you should maybe try asking over at
the l7-filter project.
Andy
next prev parent reply other threads:[~2011-02-20 17:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-20 15:13 mark and accept in a single rule E2IA
2011-02-20 15:27 ` Andrew Beverley
2011-02-20 16:10 ` E2IA
2011-02-20 17:18 ` Andrew Beverley [this message]
2011-02-20 20:45 ` E2IA
2011-02-20 21:15 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1298222310.12048.40.camel@andybev \
--to=andy@andybev.com \
--cc=e2ia.ci@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox