> > Why don't you just match the mark the packet has been given ? > > iptables -t mangle -A PREROUTING ..... -j MARK --set-mark 1 > iptables -t mangle -A PREROUTING -m MARK --mark 1 -j ACCEPT > iptables -t mangle -A PREROUTING ..... -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -m MARK --mark 2 -j ACCEPT Understand, but what if I have something on top :- iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark I don't know what is the mark value, but i want to return as soon as the mark has been restored. > > I think your ruleset does not work because a packet without a mark will > match your non-zero mark rule. I mean that no mark is different than 0, > so all packets will match the first "-m mark ! --mark 0" rule. > No, it does not work because the syntax is rejected ! I tried with "-m mark --mark ! 0" , it is alway rejected. > > > My next question is should I use -j ACCEPT or -j RETURN ? > > RETURN should not be use within builtin chains. Moreover, both have the > same effect if used in builtin chain. > Point taken. Thanks.
