On Sat, Mar 13, 2010 at 09:21:23AM +0100, Mart Frauenlob wrote: > Amos Jeffries: > > Please read the Squid FAQ examples of how to configure policy > > routing ... > > > > Router: > > http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute > > > > Squid box: > > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat > > I'd like to ask, if in the above examples, the ACCEPT rules need > to be placed in the mangle table? > Is there a specific reason, couldn't it be done in the filter > table? > As that would be the intended/preferred use for filtering? > If so, don't the examples teach people 'bad manners'? I think Mart is misunderstanding the effect of ACCEPT in mangle. It does not override nor bypass the filter table. It merely means, "we are done mangling this packet." The MARK target is one of those sneaky non-terminating targets. A mark is applied, and the packet continues in that particular chain. Further -j MARK rules could be applied. The ACCEPT rule prevents this. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
