Hi, Now it goes my scenario. What I found is that the same packet is evaluated not only by the first match, but by ALL matches Suppose you have two PCs (PC1 and PC2). PC1 only sends continuously ping packets (icmp echo request) to PC2, which answers it, depending on the rules. So, if you have: A) iptables -P OUTPUT DROP * PC1 does not receive any answer -> Ok, no problem, this is the default policy B) iptables -P OUTPUT DROP and iptables -A OUTPUT -t filter -p icmp -j ACCEPT * PC1 receives the reply. This is because on the OUTPUT chain there's a rule saying: Ok, accept it. And this is the FIRST to be evaluated on OUTPUT chain, so it is expected to be like this. C) iptables -P OUTPUT DROP and iptables -A OUTPUT -t filter -p icmp -j ACCEPT and iptables -t mangle -A POSTROUTING -p icmp -j TTL --ttl-dec 10 What happens now? * PC1 receives the reply. This is the *first match* for this packet (as in B). So thats ok. * But other thing happens: PC1 receive the reply with TTL decremented. So the 3rd rule above was also evaluated. That is, for a same packet, 2 rules were applied. I thought that only the first match should be evaluated. Moreover, if you add: iptables -t mangle -A POSTROUTING -p icmp -j TOS --set-tos 0x10 it will be also evaluted and PC1 will receive packets with ToS changed. In short, for the same packet, what you have is: 1 evaluation in OUTPUT chain. 2 evaluations in POSTROUTING chain. The experiments shows that netfiler/iptables evaluate all rules for a single packet and execute all actions, and does stop on the first match. But what I read everywhere is that *the evaluation stops at the firts match*, what it seems to be wrong. Am I getting it wrong? Is it suppose to be like this? Thanks Jürgen -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
