# Iptables rules for Internet2 (exempt) nodes.  Nodes sending traffic
# to any of the IPs in the Internet2 ipset (hash) will end up the the
# slice's exempt queue.  This supersedes the default config that lives
# in svn/iptables/planetlab-config

*filter
:INPUT ACCEPT 
:FORWARD ACCEPT 
:OUTPUT ACCEPT 
:BLACKLIST - 
:LOGDROP - 
-A OUTPUT -j BLACKLIST
-A OUTPUT -o eth0 -j ULOG --ulog-cprange 54 --ulog-qthreshold 16
-A LOGDROP -j LOG
-A LOGDROP -j DROP
COMMIT

*mangle
:PREROUTING ACCEPT 
:INPUT ACCEPT 
:FORWARD ACCEPT 
:OUTPUT ACCEPT 
:POSTROUTING ACCEPT 
-A INPUT -j MARK --copy-xid 0x0
-A POSTROUTING -j MARK --copy-xid 0x0
-A POSTROUTING -j CLASSIFY --set-class 0001:1000 --add-mark
-A POSTROUTING -m set --set Internet2 dst -j CLASSIFY --set-class 0001:2000 --add-mark
COMMIT