On Saturday 2005-September-10 13:08, Deepak Seshadri wrote:
> Here is a snippet from my script:
Perhaps it's a minor and insignificant detail, but the terminology is
wrong; these are iptables-save(8) rules, not a script.
> *mangle
> -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router
> -A router -j CLASSIFY --set-class 1:21
> -A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY
> --set-class 1:23
> -A router -j ACCEPT
>
> As you see above:
> - All packets from 10.0.2.x will jump to the chain "router"
> - Here it gets classified to TC's class 1:21
And at that point they are finished in the mangle table POSTROUTING
chain, and out they go.
> - But if the packet matches the layer-7 policy "exe", it will get
> classified to TC's class 1:23
Unless matched by the first rule, which all traffic does match.
> the class 1:21. Could someone please help me here?
Always assume that any target is a terminating one, unless documented
otherwise. Reverse the order of the first and second rules, and you
will get what you want.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
