2016-12-12 18:15 GMT+01:00 Noel Kuntze <noel@xxxxxxxxxxxxxxxxx>: > On 12.12.2016 18:07, Pau Espin Pedrol wrote: >> that is, I cannot mark packets generated by >> a REJECT target with a specific mark. > You shouldn't rejects any different than the original responses anyway, so it's not a problem, > because you don't have to treat them different than the original packets that caused them. > Unfortunately, I do, as I'm playing with the node being transparent proxy, and so far with the current setup marking helps choose the right direction for each packet on the bridge. Different direction, different marking. > > And you can still route and mark local (including ones that were caused by -j REJECT) packets. Look at the > graph[1]. > > [1] http://inai.de/images/nf-packet-flow.png > I'm not sure if packets can be considered local in this case, as acting as transparent proxy means src ip or dst ip cannot be matched against IPs or interfaces in the system, which makes everything a bit harder. However, thinking about it, it seems I could workaround the issue by adding a rule just before REJECT which matches on the same mark/filter and does -j MARK to the desired mark. That together with fwmark_reflect would work but still looks a bit hackish. Thanks again for the help, Pau Espin Pedrol -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
