Jan Engelhardt wrote:
On Tuesday 2008-03-25 03:28, Jan Engelhardt wrote:
None of my packets that were supposed to have that "3" mark ever kept
them. For some reason, they either never were marked or they were
marked and then the mark disappeared.
I can reproduce it. [...]
Now that is indeed interesting. I had this thought, maybe the mark
does not disappear, maybe ebtables is run -- contrary to most graphics
depicting the netfilter flow -- _after_ iptables. So I tried:
iptables -t mangle -A POSTROUTING -j LOG --log-prefix "[ipt] " -d
134.76.13.21
ebtables -A OUTPUT -p ipv4 --ip-destination 134.76.13.21 --log
--log-prefix "[ebt] "
with the result of:
[214961.190130] [ipt] IN= OUT=br0 SRC=10.10.106.161 DST=134.76.13.21
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=59252 SEQ=1
[214961.190186] [ebt] IN= OUT=sis0 MAC source = 00:0a:e6:98:ed:d7
MAC
dest = 68:a8:3e:d3:d0:fb proto = 0x0800
which means ebtables actually comes after iptables, and hence, your
mark 3 will not show up as you expected.
Indeed, on output bridge netfilter will run after IPv4 netfilter.
Does that explain things?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
