On 8/19/2015 9:29 AM, Tom Eastep wrote: > On 8/18/2015 7:39 PM, Eddie wrote: >> Seeing the recent question on Marks with IPv6 I went back to review a >> setup I'm currently testing. >> >> In my tcrules file I have: >> >> CONTINUE $FW - - - - - !0x0 >> >> This generates the following mangle rule: >> >> -A tcout -m mark ! --mark 0x0/0xff -j RETURN >> >> But based on my config file: >> >> TC_BITS=8 >> PROVIDER_BITS=8 >> PROVIDER_OFFSET=8 >> MASK_BITS=8 >> ZONE_BITS=0 >> >> Shouldn't that read: >> >> -A tcout -m mark ! --mark 0x0/0xff00 -j RETURN >> >> All the other mark "tests" specify a mask of 0xff00 >> > In all instances, the default mask for MARK columns is the TC Mask which > is 0xff in your configuration. > > Note that, unless TC_EXPERT=Yes, tcout is only traversed by packets that > have no routing mark. > I'm not using TC_EXPERT, and I do see the check that sends un-marked packets to tcout:
-A OUTPUT -m mark --mark 0x0/0xff00 -j tcout Hence my questioning of the mark mask on the CONTINUE rule, based on how that one and the one for the PREROUTING chain are constructed: -A PREROUTING -m mark --mark 0x0/0xff00 -j tcpre I have a bunch of rules in tcout, ahead of the CONTINUE which could set a mark and for those packets, I don't want the remainder of tcpre traversed. Also, looking at some iptables counters, I see the rules in tcout, ahead of the CONTINUE being actioned, but not the CONTINUE. Cheers, Eddie ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
