On 08/19/2015 10:25 AM, Eddie wrote: > On 8/19/2015 9:29 AM, Tom Eastep wrote: >> On 8/18/2015 7:39 PM, Eddie wrote: >>> Seeing the recent question on Marks with IPv6 I went back to review a >>> setup I'm currently testing. >>> >>> In my tcrules file I have: >>> >>> CONTINUE $FW - - - - - !0x0 >>> >>> This generates the following mangle rule: >>> >>> -A tcout -m mark ! --mark 0x0/0xff -j RETURN >>> >>> But based on my config file: >>> >>> TC_BITS=8 >>> PROVIDER_BITS=8 >>> PROVIDER_OFFSET=8 >>> MASK_BITS=8 >>> ZONE_BITS=0 >>> >>> Shouldn't that read: >>> >>> -A tcout -m mark ! --mark 0x0/0xff00 -j RETURN >>> >>> All the other mark "tests" specify a mask of 0xff00 >>> >> In all instances, the default mask for MARK columns is the TC Mask which >> is 0xff in your configuration. >> >> Note that, unless TC_EXPERT=Yes, tcout is only traversed by packets that >> have no routing mark. >> > I'm not using TC_EXPERT, and I do see the check that sends un-marked > packets to tcout: > > -A OUTPUT -m mark --mark 0x0/0xff00 -j tcout > > Hence my questioning of the mark mask on the CONTINUE rule, based on how > that one and the one for the PREROUTING chain are constructed: > > -A PREROUTING -m mark --mark 0x0/0xff00 -j tcpre > > I have a bunch of rules in tcout, ahead of the CONTINUE which could set > a mark and for those packets, I don't want the remainder of tcpre traversed. > > Also, looking at some iptables counters, I see the rules in tcout, ahead > of the CONTINUE being actioned, but not the CONTINUE. >
Then change your rule to: CONTINUE $FW - - - - - !0x0/0xff00 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
