On Thursday 2008-05-15 16:32, Jürgen Rochol wrote: > >C) iptables -P OUTPUT DROP and iptables -A OUTPUT -t filter -p icmp > -j ACCEPT and iptables -t mangle -A POSTROUTING -p icmp -j TTL >--ttl-dec 10 > >What happens now? >* PC1 receives the reply. This is the *first match* for this packet >(as in B). So thats ok. >* But other thing happens: PC1 receive the reply with TTL decremented. >So the 3rd rule above was also evaluated. That is, for a same packet, >2 rules were applied. They are different tables. So, all is still correct. Also, TTL is a non-terminating target, as are most targets designed for the mangle table. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
