Hi. Patrick Schaaf wrote:
>>After not receiving a response for two weeks second try: >> > >Sorry. Here we go: > >>The attached patch adds a new option --terminate to the MARK target >>which lets the user choose if MARK should return IPT_CONTINUE >>(normal behaviour) or NF_ACCEPT (to terminate further rule processing). >> >[...] > >>A CONNMARK patch will follow >> > >Will you also add this to LOG, ULOG, and any other IPT_CONTINUE target >that may come up in the future? In my opinion, this is misguided, because >it leads to much code duplication in target modules. > Hmm probably not :) Although i can't see why someone would like (U)LOG to return NF_ACCEPT you're point is clear .. > > >There is already a flexible, but somewhat ugly, way to do what you want: >create a user defined chain that first MARKs then ACCEPTs (or does whatever >else one may want to be done after MARK). Obviously, this is a bit ugly >because you need one such chain per MARK value. > Thats not really what i want to do .. especially since we need lots of marking rules, basically everything allowed needs to be marked with different values. > >The good way to do it, in my opinion, would be to permit more than one >target per iptables rule. You could then write > > iptables -A somewhere -m something -j MARK --mark 1 -j ACCEPT > >Note that I do _not_ oppose adding your --terminate option to MARK, as a >stopgap measure. If that is helpful now, it should be done, IMHO. > >However, I'd like to hear people's opinions on the multitarget approach. > I like that idea very much, although (like Henrik already suggested) i favour the idea of something new between targets and matches for IPT_CONTINUE targets .. Bye, Patrick
