I'm using iptables mangle to mark traffic with different DSCP values. I'd like to confirm the order in which overlapping rules will be applied. I assumed that the logic would be the same as with iptables generally: the first matching rule in the chain would be applied. But in fact it seems to be the reverse. For example with the following rules:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DSCP icmp -- anywhere anywhere DSCP set 0x14
DSCP all -- anywhere anywhere DSCP set 0x0f
I assumed that ICMP packets would be marked with 0x14, but they are in fact marked with 0x0f. Can I trust this always to be the case? That the last matching rule in the chain will be applied instead of the last one? I could not find documentation about this anywhere.
Asked by Sampo
(21 rep)
Sep 15, 2015, 12:42 PM
Last activity: Jan 29, 2019, 05:02 PM
Last activity: Jan 29, 2019, 05:02 PM