On Wednesday 07 May 2003 11:39, miller69@xxxxxxx wrote:
> Hi,
>
> > I'm just wondering. You use connmark to mark the whole connection, but
> > isn't
> > that only working in 1 direction?
>
> Ok, first I was not sure about this question but I took a look at
> /proc/net/ip_conntrack :
>
> tcp 6 379813 ESTABLISHED src=153.19.72.215 dst=139.18.38.96 sport=1240
> dport=1214 src=139.18.38.96 dst=153.19.72.215 sport=1214 dport=1240
> [ASSURED] use=1 mark=22
>
> This is a single entry, so I believe it puts a mark at the wohle connection
> in both directions. And quick test approved this. I used the following
> commands to count marked packets in the POSTROUTING chain.
> iptables -A POSTROUTING -t mangle -o eth0 -m mark --mark 12 -j ACCEPT
> iptables -A POSTROUTING -t mangle -o eth1 -m mark --mark 12 -j ACCEPT
>
> That gave the followig output:
>
> 648K 703M ACCEPT all -- * eth0 0.0.0.0/0
> 0.0.0.0/0 MARK match 0xc
> 520K 103M ACCEPT all -- * eth1 0.0.0.0/0
> 0.0.0.0/0 MARK match 0xc
>
> As you can see there are packets leaving the bridge at eth0 and at eth1 as
> well marked with the same handle.
Ok. So the mark is in both directions.
> > You want to mark on eth0 and use that mark also to shape on eth1.
>
> Exactly, so as the connmark part seems to be working is there a chance to
> get tc filter working in the same way to? Any comments would be very much
> appreciated!
I have no idea. It should work. If iptables can see the mark, the fw filter
can. So the fw filter should be able to use the mark.
Stef
--
stef.coene@xxxxxxxxx
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
