All of lore.kernel.org
 help / color / mirror / Atom feed
* CONNMARK rules
@ 2022-07-07 13:17 Richard Lucassen
  2022-07-07 13:31 ` Kerin Millar
  0 siblings, 1 reply; 3+ messages in thread
From: Richard Lucassen @ 2022-07-07 13:17 UTC (permalink / raw)
  To: netfilter

Hello list,

I have two lines in the iptables PREROUTING mangle table to split up
traffic from even and odd ip numbers:

-s 10.32.24.0/23 -j CONNMARK --set-mark 0x1001
-s 10.32.24.0/255.255.254.1 -j CONNMARK --set-mark 0x1000

But I noticed that rules in this order does not work (everything
gets 0x1001):

-s 10.32.24.0/255.255.254.1 -j CONNMARK --set-mark 0x1000
-s 10.32.24.0/23 -j CONNMARK --set-mark 0x1001

So I assume the the CONNMARK rules are not end rules (hit = exit)

Is that correct?

R.


-- 
richard lucassen
http://contact.xaq.nl/

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: CONNMARK rules
  2022-07-07 13:17 CONNMARK rules Richard Lucassen
@ 2022-07-07 13:31 ` Kerin Millar
  2022-07-07 14:05   ` Richard Lucassen
  0 siblings, 1 reply; 3+ messages in thread
From: Kerin Millar @ 2022-07-07 13:31 UTC (permalink / raw)
  To: netfilter; +Cc: Richard Lucassen

Hi Richard,

On Thu, 7 Jul 2022 15:17:39 +0200
Richard Lucassen <mailinglists@xaq.nl> wrote:

> Hello list,
> 
> I have two lines in the iptables PREROUTING mangle table to split up
> traffic from even and odd ip numbers:
> 
> -s 10.32.24.0/23 -j CONNMARK --set-mark 0x1001
> -s 10.32.24.0/255.255.254.1 -j CONNMARK --set-mark 0x1000
> 
> But I noticed that rules in this order does not work (everything
> gets 0x1001):
> 
> -s 10.32.24.0/255.255.254.1 -j CONNMARK --set-mark 0x1000
> -s 10.32.24.0/23 -j CONNMARK --set-mark 0x1001
> 
> So I assume the the CONNMARK rules are not end rules (hit = exit)
> 
> Is that correct?

Yes, it is. This could be confirmed by inspecting the rule counters or by using the TRACE target.

-- 
Kerin Millar

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: CONNMARK rules
  2022-07-07 13:31 ` Kerin Millar
@ 2022-07-07 14:05   ` Richard Lucassen
  0 siblings, 0 replies; 3+ messages in thread
From: Richard Lucassen @ 2022-07-07 14:05 UTC (permalink / raw)
  To: netfilter

On Thu, 7 Jul 2022 14:31:56 +0100
Kerin Millar <kfm@plushkava.net> wrote:

> > So I assume the the CONNMARK rules are not end rules (hit = exit)
> > 
> > Is that correct?
> 
> Yes, it is. This could be confirmed by inspecting the rule counters
> or by using the TRACE target.

Ok, thnx, just eager to know ;-)

R.

-- 
richard lucassen
http://contact.xaq.nl/

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-07-07 14:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-07 13:17 CONNMARK rules Richard Lucassen
2022-07-07 13:31 ` Kerin Millar
2022-07-07 14:05   ` Richard Lucassen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.