Why REJECT target is not supported with MANGLE ?

Why REJECT target is not supported with MANGLE ?

[S?ébastien Cramatte]

Hello,

Why REJECT target  is not supported with MANGLE ?


My server is running debian etch4 with 2.6.22 kernel  and setuped as 
traffic shaper + transparent bridge

The command with connlimit  bellow won't work and return me "Invalid 
Argument"

iptables  -t mangle -N mytable
iptables --table mangle --append POSTROUTING --out-interface br0 --match 
physdev --physdev-is-bridged --physdev-out eth0 --jump  mytable

iptables  -t mangle -A mytable --proto tcp --match connlimit 
--connlimit-above 15 --connlimit-mask 32 --jump REJECT
iptables  -t mangle -A mytable --jump CLASSIFY --set-class 1:10

How can I achieve this kind of setup ?

Regards

Re: Why REJECT target is not supported with MANGLE ?

[Gáspár Lajos]

S?ébastien Cramatte írta:
> Hello,
>
> Why REJECT target  is not supported with MANGLE ?
>
>
> My server is running debian etch4 with 2.6.22 kernel  and setuped as 
> traffic shaper + transparent bridge
>
> The command with connlimit  bellow won't work and return me "Invalid 
> Argument"
>
> iptables  -t mangle -N mytable
> iptables --table mangle --append POSTROUTING --out-interface br0 
> --match physdev --physdev-is-bridged --physdev-out eth0 --jump  mytable
>
> iptables  -t mangle -A mytable --proto tcp --match connlimit 
> --connlimit-above 15 --connlimit-mask 32 --jump REJECT
> iptables  -t mangle -A mytable --jump CLASSIFY --set-class 1:10
>
> How can I achieve this kind of setup ?
I would drop those packets in a filter table...

INPUT/filter
OUTPUT/filter
FORWARD/filter


Is there any good reason not to do that?

Swifty

Re: Why REJECT target is not supported with MANGLE ?

[Michele Petrazzo - Unipex srl]

S?ébastien Cramatte wrote:
> Hello,
> 
> Why REJECT target  is not supported with MANGLE ?
> 
> 

I'm a iptables guru, but mangle it's there for "mangling packets", not
for filter them. filter tables are for that!

> My server is running debian etch4 with 2.6.22 kernel  and setuped as
>  traffic shaper + transparent bridge
> 
> The command with connlimit  bellow won't work and return me "Invalid
>  Argument"
> 
> iptables  -t mangle -N mytable iptables --table mangle --append
> POSTROUTING --out-interface br0 --match physdev --physdev-is-bridged
> --physdev-out eth0 --jump  mytable
> 
> iptables  -t mangle -A mytable --proto tcp --match connlimit 
> --connlimit-above 15 --connlimit-mask 32 --jump REJECT iptables  -t
> mangle -A mytable --jump CLASSIFY --set-class 1:10
> 
> How can I achieve this kind of setup ?
> 

DROP_MARK="0x10"
iptables -t mangle -N table_mark
iptables  -t mangle -A mytable --proto tcp --match connlimit
  --connlimit-above 15 --connlimit-mask 32 --jump table_mark
iptables -t mangle -A table_mark -j MARK --set-mark $DROP_MARK
iptables -t filter -m mark --mark $DROP_MARK -j REJECT

the "-t filter" parameter are optional, but I wrote it for say to you
that this is the right place where kernel make the filter!

http://www.faqs.org/docs/iptables/mangletable.html

Michele