Hi Jan. Thanks for your answer. But I think I wasn't that clear. I did a simple test and I found that both rules below matched. Consider this simple scenario: Antes de tudo: arquivo before.pcap depois dropa toda saída :( iptables -P OUTPUT DROP Libera ICMP de saída accept.pcap: iptables -A OUTPUT -t filter -p icmp -j ACCEPT Mangle na POSTROUTING (mudar TTL) ttl.pcap: iptables -t mangle -A POSTROUTING -p icmp -j TTL --ttl-dec 10 iptables -t mangle -A POSTROUTING -p icmp -j TTL --ttl-dec 10 Scenario 2: The same happens when: //não funcionou iptables -t mangle -A PREROUTING -p icmp -j TTL --ttl-dec 10 //agora outra regra - alterou só no postrouting :( iptables -t mangle -A PREROUTING -p icmp -j TOS --set-tos 0x10 //dropa tudo, de cara. iptables -A INPUT -t filter -p icmp -j DROP On Wed, May 14, 2008 at 6:29 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Wednesday 2008-05-14 22:21, Jürgen Rochol wrote: >> >>Putting in a simple way, is the packet evaluated under a unique single >>rule list or several rules lists -- one for each chain? > > Sieve principle. What has not matched falls through > until it finally matches (and takes a terminating action). > Much like, uh, filters. > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
