Hello Martin,
Thanks very much for your explanation.
> So, locally generated packets marked in the OUTPUT chain have already been
> routed.
This is really quite sad isn't it? I was attempting the following for
locally generated packets:
iptables --append OUTPUT --table mangle --match owner \
--uid-owner 500 --jump MARK --set-mark 0x5
ip rule fwmark 0x5 table 5; etc ...
By matching the process uid or gid, I was counting on being able to
policy route based on who was asking -- quite a neat solution actually.
ip rule doesn't allow to match a uid/gid, and from your explanation, it
would be hard to imagine.
I don't suppose you have a way around this??
Cheers
Charles
