Hi all!! I was trying to figure out how iptables marks work. I thought that a packet could just be marked once into a chain (if the packet matchs the criteria, then it the action is applied, and that''s all for the packet into this chain), but I was wrong: I did iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 7 iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 8 and then I did `iptables -t mangle -L -x -v'' and I got Chain INPUT (policy ACCEPT 9565560 packets, 4954706655 bytes) pkts bytes target prot opt in out source destination 45 31630 MARK 0 -- eth0 any anywhere anywhere MARK set 0x7 45 31630 MARK 0 -- eth0 any anywhere anywhere MARK set 0x8 Can someone tell me how can I be sure one packet will just be marked once into the chain?
> iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 7 > iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 8 > > and then I did `iptables -t mangle -L -x -v'' and I got > > Chain INPUT (policy ACCEPT 9565560 packets, 4954706655 bytes) > pkts bytes target prot opt in out source destination > 45 31630 MARK 0 -- eth0 any anywhere anywhere MARK set 0x7 > 45 31630 MARK 0 -- eth0 any anywhere anywhere MARK set 0x8 > > Can someone tell me how can I be sure one packet will just be marked once into > the chain?I would try the following (untested) rules: iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 7 iptables -t mangle -A INPUT -i eth0 -j RETURN iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 8 I guess you will never get the second mark. Regards, Nelson.- -- http://arhuaco.org http://emQbit.com
Hello Alejandro, The MARK target always returns a CONTINUE verdict internally, so packet will be matching the next rule as well. You may append another rule that either RETURNs or ACCEPTs the packet. Regards, Padam Alejandro Ramos Encinosa wrote: Hi all!! I was trying to figure out how iptables marks work. I thought that a packet could just be marked once into a chain (if the packet matchs the criteria, then it the action is applied, and that''s all for the packet into this chain), but I was wrong: I did iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 7 iptables -t mangle -A INPUT -i eth0 -j MARK --set-mark 8 and then I did `iptables -t mangle -L -x -v'' and I got Chain INPUT (policy ACCEPT 9565560 packets, 4954706655 bytes) pkts bytes target prot opt in out source destination 45 31630 MARK 0 -- eth0 any anywhere anywhere MARK set 0x7 45 31630 MARK 0 -- eth0 any anywhere anywhere MARK set 0x8 Can someone tell me how can I be sure one packet will just be marked once into the chain? _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc