Pascal Hambourg wrote: > Hello, > > Patrick McHardy a écrit : >> >> Ah, I see the problem. The route returns unreachable, which >> iptable_mangle translates to NF_DROP. The problem is that >> netfilter itself can't return ENETUNREACH and there is no >> valid output function attached to the dst_entry that would >> send an icmp unreachable. I think the only thing you could >> do is manually call icmp_send(ICMP_DEST_UNREACH) in >> ip_route_me_harder for this case. > > What about the REJECT target ? Correct me if I'm mistaken, but REJECT target is only valid in filter table. But the packet does not reach filter table because of reasons described by Patric (as we DROP it after mangle). It is clearly observed by me when I insert LOG into filter table. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
