Le lun 31/05/2004 à 09:24, Ming-Ching Tiew a écrit : > I have many iptables setmark commands, but as soon > as there is one match, I would like to skip all the rest. > How to do this. > -------not-working-not-mark-zero-is-not-accepted--------- > iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... > iptables -t mangle -A PREROUTING -m MARK ! --mark 0 -j ACCEPT > iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... > iptables -t mangle -A PREROUTING -m MARK ! --mark 0 -j ACCEPT > iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... > --------------------end----------------------------------- Why don't you just match the mark the packet has been given ? iptables -t mangle -A PREROUTING ..... -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m MARK --mark 1 -j ACCEPT iptables -t mangle -A PREROUTING ..... -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m MARK --mark 2 -j ACCEPT [...] I think your ruleset does not work because a packet without a mark will match your non-zero mark rule. I mean that no mark is different than 0, so all packets will match the first "-m mark ! --mark 0" rule. iptables -t mangle -A PREROUTING -j MARK --set-mark 0 iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... iptables -t mangle -A PREROUTING -m MARK ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING ..... -j MARK --set-mark ..... iptables -t mangle -A PREROUTING -m MARK ! --mark 0 -j ACCEPT [...] > Since it is not working, I change it to :- > Assuming I have AND-ed all the mark together to obtain the MASK, [...] > Wonder if it will work ? Well, it should work. > My next question is should I use -j ACCEPT or -j RETURN ? RETURN should not be use within builtin chains. Moreover, both have the same effect if used in builtin chain. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
