Re: [mangle table] end rule

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Born Without <blackhole@airpost.net>
To: netfilter@vger.kernel.org
Cc: richard lucassen <mailinglists@lucassen.org>
Subject: Re: [mangle table] end rule
Date: Mon, 14 Jan 2013 21:58:34 +0100	[thread overview]
Message-ID: <50F4717A.9010608@airpost.net> (raw)
In-Reply-To: <20130114214225.4a10201014b466ebf87eba94@lucassen.org>

On 14.01.2013 21:42, richard lucassen wrote:
> I have these two rules in this order:
>
> iptables -t mangle -i eth0 -d 10.0.0.0/24 -j CONNMARK --set-mark 1
> iptables -t mangle -i eth0 -d 10.0.0.2 -j CONNMARK --set-mark 2
>
> This site
> http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto#mangle_Table
> says:
>
> <quote>
> It is important to notice when making rules that whichever rule matches
> first will be the target for the packet and no other rules will be
> checked.
> </quote>
>
> As far as I understand the English language, this means that a packet
> towards 10.0.0.2 will be marked "1" and not "2" as the first rule
> matches and thus the other rules will not be tested.
>
> But in practice, destination 10.0.0.2 will be marked with "2" in the
> order mentioned above. This is no what the site says.
>
> Question: is a mangle rule really an end rule as the site suggests? Or
> is this not true ("man iptables" says nothing about it AFAICS). Or is
> it true and do I have to report a bug?

That depends if the target is a "non-terminating target" or not.
i.e
MARK, CONNMARK, LOG  are non-terminating.
ACCEPT, DROP, RETURN are.

next prev parent reply	other threads:[~2013-01-14 20:58 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-01-14 20:42 [mangle table] end rule richard lucassen
2013-01-14 20:58 ` Born Without [this message]
2013-01-14 21:51   ` richard lucassen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50F4717A.9010608@airpost.net \
    --to=blackhole@airpost.net \
    --cc=mailinglists@lucassen.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox