Hi, > I'm just wondering. You use connmark to mark the whole connection, but > isn't > that only working in 1 direction? Ok, first I was not sure about this question but I took a look at /proc/net/ip_conntrack : tcp 6 379813 ESTABLISHED src=153.19.72.215 dst=139.18.38.96 sport=1240 dport=1214 src=139.18.38.96 dst=153.19.72.215 sport=1214 dport=1240 [ASSURED] use=1 mark=22 This is a single entry, so I believe it puts a mark at the wohle connection in both directions. And quick test approved this. I used the following commands to count marked packets in the POSTROUTING chain. iptables -A POSTROUTING -t mangle -o eth0 -m mark --mark 12 -j ACCEPT iptables -A POSTROUTING -t mangle -o eth1 -m mark --mark 12 -j ACCEPT That gave the followig output: 648K 703M ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0xc 520K 103M ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK match 0xc As you can see there are packets leaving the bridge at eth0 and at eth1 as well marked with the same handle. > You want to mark on eth0 and use that mark also to shape on eth1. Exactly, so as the connmark part seems to be working is there a chance to get tc filter working in the same way to? Any comments would be very much appreciated! Thanks, Mike. -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
