sorry, I wasn't suppose to be sent yet. On Thu, May 15, 2008 at 10:10 AM, Jürgen Rochol <juergen.rox@xxxxxxxxx> wrote: > Hi Jan. > > Thanks for your answer. > > But I think I wasn't that clear. > > I did a simple test and I found that both rules below matched. > > Consider this simple scenario: > > Antes de tudo: arquivo before.pcap > > depois dropa toda saída :( > iptables -P OUTPUT DROP > > Libera ICMP de saída accept.pcap: > iptables -A OUTPUT -t filter -p icmp -j ACCEPT > > Mangle na POSTROUTING (mudar TTL) ttl.pcap: > iptables -t mangle -A POSTROUTING -p icmp -j TTL --ttl-dec 10 iptables > -t mangle -A POSTROUTING -p icmp -j TTL --ttl-dec 10 > > Scenario 2: > The same happens when: > //não funcionou > iptables -t mangle -A PREROUTING -p icmp -j TTL --ttl-dec 10 > > //agora outra regra - alterou só no postrouting :( > iptables -t mangle -A PREROUTING -p icmp -j TOS --set-tos 0x10 > > //dropa tudo, de cara. > iptables -A INPUT -t filter -p icmp -j DROP > > > > > > > On Wed, May 14, 2008 at 6:29 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: >> >> On Wednesday 2008-05-14 22:21, Jürgen Rochol wrote: >>> >>>Putting in a simple way, is the packet evaluated under a unique single >>>rule list or several rules lists -- one for each chain? >> >> Sieve principle. What has not matched falls through >> until it finally matches (and takes a terminating action). >> Much like, uh, filters. >> > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
