В Чтв, 15/05/2008 в 11:32 -0300, Jürgen Rochol пишет: > Hi, > > Now it goes my scenario. > What I found is that the same packet is evaluated not only by the > first match, but by ALL matches > > Suppose you have two PCs (PC1 and PC2). > > PC1 only sends continuously ping packets (icmp echo request) to PC2, > which answers it, depending on the rules. > > So, if you have: > > A) iptables -P OUTPUT DROP > * PC1 does not receive any answer -> Ok, no problem, this is the default policy > > B) iptables -P OUTPUT DROP and iptables -A OUTPUT -t filter -p icmp > -j ACCEPT > * PC1 receives the reply. This is because on the OUTPUT chain there's > a rule saying: Ok, accept it. And this is the FIRST to be evaluated > on OUTPUT chain, so it is expected to be like this. > > C) iptables -P OUTPUT DROP and iptables -A OUTPUT -t filter -p icmp > -j ACCEPT and iptables -t mangle -A POSTROUTING -p icmp -j TTL > --ttl-dec 10 > > What happens now? > * PC1 receives the reply. This is the *first match* for this packet > (as in B). So thats ok. > * But other thing happens: PC1 receive the reply with TTL decremented. > So the 3rd rule above was also evaluated. That is, for a same packet, > 2 rules were applied. > > I thought that only the first match should be evaluated. Moreover, if you add: > iptables -t mangle -A POSTROUTING -p icmp -j TOS --set-tos 0x10 > > it will be also evaluted and PC1 will receive packets with ToS changed. > > In short, for the same packet, what you have is: > > 1 evaluation in OUTPUT chain. > 2 evaluations in POSTROUTING chain. The things is that: 1. Packet is being examined in each table regarding a sequence. So if it matches the rule in the mangle table it can also match in the filter table. You should see linux firewall scheme so that you can understand how packets are passing through the firewall. 2. Some targets doesn't return if matched. Example is -t mangle -j MARK - it doesn't return! This case, if you really want to return you should explicitely return like this: #iptables -t mangle -A FORWARD -s IP1 -j MARK --set-mark 10 #iptables -t mangle -A FORWARD -s IP1 -j RETURN #iptables -t mangle -A FORWARD -s IP2 -j MARK --set-mark 11 #iptables -t mangle -A FORWARD -s IP2 -j RETURN -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
