I have been reading man pages and googling and I am not finding
understanding. maybe somebody can explain:
under my mangle table (using iptables-restore to load):
-A PREROUTING -p udp -m udp --dport 4500 -j MARK --set-mark 30
-A PREROUTING -s 192.168.171.0/24 -m mark ! --mark 30 -j MARK --set-mark 40
-A PREROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
-A PREROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40
This logs packets with both marks.
If I change the LOG target to POSTROUTING, like so:
-A POSTROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
-A POSTROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40
only packets with the mark 40 are logged. I think it should log both.
If I consult the nfpacket flow chart, nat/PREROUTING comes after
mangle/PREROUTING, and I cannot log packets with a mark of 30 there either.
Traffic keeps flowing, so the packets themselves are not being dropped,
but the mark apparently is not passed from the initial chain. Everything
I have read indicates it should be. what could I have done (or not
done) to make this happen? Or better yet, what should I be reading that
would explain this? I get the feeling I am overlooking something really
obvious...
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
