On Thu, 2007-02-22 at 14:30 +0100, francesco messineo wrote: > On 2/22/07, francesco messineo <francesco.messineo@xxxxxxxxx> wrote: > > # iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT > > > > iptables v1.3.3: Bad MARK value `!' > > > > > > I'm puzzled, what's wrong with this syntax? > > kernel is 2.6.15.7-ubuntu1 Not all extensions support all types of matching. Looks like MARK doesn't support an inverse match. If you want the same effect redirect all traffic to another chain, and within that chain RETURN if you match a 0, and then with a subsequent rule ACCEPT any other packets. This way if packets are MARKed 0 then they will carry on traversing the table, otherwise they will be ACCEPTed iptables -t mangle -A POSTROUTING -J new_chain -- iptables -t mangle -N new_chain iptables -t mangle -A new_chain -m mark --mark 0 -j RETURN iptables -t mangle -A new_chain -j ACCEPT > also tried with a 2.6.20.1 compiled from source and same result. > I can't make also work these two rules: > > > iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > both fail with: > > iptables: Invalid argument Looks like your iptables (or your kernel?) doesn't support CONNMARK. What version of iptables do you have? Andy Beverley _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
