HI, thank you for your reply I think layer7 is quite old. is there any projet like layer7. regards. 2011/2/20 Andrew Beverley <andy@xxxxxxxxxxx>: > On Sun, 2011-02-20 at 16:10 +0000, E2IA wrote: >> >> 2011/2/20 Andrew Beverley <andy@xxxxxxxxxxx>: >> > On Sun, 2011-02-20 at 15:13 +0000, E2IA wrote: >> >> Hi all i'd like to know if it is possible to mark packet and accept in >> >> the single iptable rule. >> > >> > There shouldn't be any need to do this. >> > >> >> i've these 2 rules: >> >> >> >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â -m layer7 >> >> --l7proto Âyahoo Â-j MARK --set-mark 74 >> >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â Â-m mark --mark >> >> 74 Â-j ACCEPT >> >> >> >> but it seam that the second rule is never match. >> > >> > The second rule *should* be matched. What makes you think that it is >> > not? Remember: a packet ACCEPTed in one chain can be DROPed later. >> > >> > It might be worth you posting your complete set of rules. >> > > > [ Top posting fixed ] > >> Hi here is my complete rule set: >> #!/bin/bash >> #script Shapping marker config >> /usr/local/sbin/iptables Â-t mangle -F FORWARD >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â -m layer7 >> --l7proto Âyahoo Â-j MARK --set-mark 74 >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â -m mark --mark Â74 >> -j ÂACCEPT > > <snip> > >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â -m layer7 >> --l7proto Âhttp Â-j MARK --set-mark 9 >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â -m mark --mark Â9 -j ÂACCEPT > > <snip> > >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â -m layer7 >> --l7proto Âfinger Â-j MARK --set-mark 6 >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â Â -m mark --mark Â6 -j ÂACCEPT >> /usr/local/sbin/iptables Â-t mangle Â-A FORWARD Â-j ÂACCEPT >> # End >> >> When doing yahoo messenger it is http, skype and finger witch are >> match enven yahoo is the first rule. >> but when Âi keep yahoo rule alone yahoo is mach when doing yahoo messenger. >> > > It's been a while since I played with l7-filter, but I suppose it could > be something to do with the way that it is classifying packets (it > sometimes has to see a significant amount of data before it matches some > protocols). > > You might want to try the following for your rules instead, but if your > problem is something to do with l7-filter then it may not help: > > iptables -t mangle -A FORWARD -m mark --mark 0 \ > Â Â Â Â-m layer7 --l7proto yahoo -j MARK --set-mark 74 > iptables -t mangle -A FORWARD -m mark --mark 0 \ > Â Â Â Â-m layer7 --l7proto http -j MARK --set-mark 9 > > This will only match and mark packets if they haven't already been > marked. The disadvantage of this is that all packets will traverse all > rules making it less efficient. > > If you still can't get it to work, you should maybe try asking over at > the l7-filter project. > > Andy > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
