On 13.03.2010 11:05, netfilter-owner@xxxxxxxxxxxxxxx wrote: > On Sat, Mar 13, 2010 at 09:21:23AM +0100, Mart Frauenlob wrote: >> Amos Jeffries: >>> Please read the Squid FAQ examples of how to configure policy >>> routing ... >>> >>> Router: >>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute >>> >>> Squid box: >>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat >> >> I'd like to ask, if in the above examples, the ACCEPT rules need >> to be placed in the mangle table? >> Is there a specific reason, couldn't it be done in the filter >> table? >> As that would be the intended/preferred use for filtering? >> If so, don't the examples teach people 'bad manners'? > > I think Mart is misunderstanding the effect of ACCEPT in mangle. It > does not override nor bypass the filter table. It merely means, "we > are done mangling this packet." > ACCEPT in mangle differs from ACCEPT in mangle? Where is that documented? So you have to ACCEPT it twice? In mangle and in filter table? > The MARK target is one of those sneaky non-terminating targets. A > mark is applied, and the packet continues in that particular chain. > Further -j MARK rules could be applied. The ACCEPT rule prevents > this. Don't we use the RETURN target for that? But yes, that implies a problem, if you RETURN from a user-defined chain. Best regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
