On 14.01.2013 21:42, richard lucassen wrote:
I have these two rules in this order: iptables -t mangle -i eth0 -d 10.0.0.0/24 -j CONNMARK --set-mark 1 iptables -t mangle -i eth0 -d 10.0.0.2 -j CONNMARK --set-mark 2 This site http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto#mangle_Table says: <quote> It is important to notice when making rules that whichever rule matches first will be the target for the packet and no other rules will be checked. </quote> As far as I understand the English language, this means that a packet towards 10.0.0.2 will be marked "1" and not "2" as the first rule matches and thus the other rules will not be tested. But in practice, destination 10.0.0.2 will be marked with "2" in the order mentioned above. This is no what the site says. Question: is a mangle rule really an end rule as the site suggests? Or is this not true ("man iptables" says nothing about it AFAICS). Or is it true and do I have to report a bug?
That depends if the target is a "non-terminating target" or not. i.e MARK, CONNMARK, LOG are non-terminating. ACCEPT, DROP, RETURN are. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
