Hi Deepak, Give it a try after moving the general rule (1:21) after the specific exe rule. I am not completely sure whether CLASSIFY target accepts the last matching rule or the first rule. Regards, Vinod C > Hello everybody, > Here is a snippet from my script: > > *mangle > -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j router > -A router -j CLASSIFY --set-class 1:21 > -A router -p tcp --dport 80 -m layer7 --l7proto exe -j CLASSIFY > --set-class > 1:23 > -A router -j ACCEPT > > As you see above: > - All packets from 10.0.2.x will jump to the chain "router" > - Here it gets classified to TC's class 1:21 > - But if the packet matches the layer-7 policy "exe", it will get > classified > to TC's class 1:23 > - Accepted > > What happens is: > Those packets that match the "exe" pattern does not get classified to > 1:23. > They still go through 1:21. I thought the packets matching the "exe" > pattern > will take the CLASSIFY target mentioned on the third line (1:23). Even > though they match the third rule, they still retain the class 1:21. Could > someone please help me here? > > Through conntrack I verified that the connections are being detected by > the > exe pattern matching rule but that connection still flows through 1:21 > class. > > Thank you, > Deepak >