Is there a reason to use decimal numbers? 0x1E and 0x28 are quite complex marks to set. Maybe use 0x30 and 0x40 instead. Is there any other place where marking is done? Why not providing us with a full iptables-save output? On Mi, 2015-03-04 at 14:04 -0800, Bob Miller wrote: > I have been reading man pages and googling and I am not finding > understanding. maybe somebody can explain: > > under my mangle table (using iptables-restore to load): > > -A PREROUTING -p udp -m udp --dport 4500 -j MARK --set-mark 30 > -A PREROUTING -s 192.168.171.0/24 -m mark ! --mark 30 -j MARK --set-mark 40 > -A PREROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30 > -A PREROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40 > > This logs packets with both marks. > > If I change the LOG target to POSTROUTING, like so: > > -A POSTROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30 > -A POSTROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40 > > only packets with the mark 40 are logged. I think it should log both. > > If I consult the nfpacket flow chart, nat/PREROUTING comes after > mangle/PREROUTING, and I cannot log packets with a mark of 30 there either. > > Traffic keeps flowing, so the packets themselves are not being dropped, > but the mark apparently is not passed from the initial chain. Everything > I have read indicates it should be. what could I have done (or not > done) to make this happen? Or better yet, what should I be reading that > would explain this? I get the feeling I am overlooking something really > obvious... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
