I believe I am using fwmark as below. Any input would be appreciated: Here is part of the setup: iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark iptables -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 21 -t mangle -j MARK --set-mark 14 iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 80 -t mangle -j MARK --set-mark 2 iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 3128 -t mangle -j MARK --set-mark 2 iptables -A PREROUTING -t mangle -j CONNMARK --save-mark tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid 1:2a Here is part of /proc/net/ip_conntrack showing the packet is getting marked: tcp 6 431989 ESTABLISHED src=10.0.1.99 dst=196.34.2.188 sport=1838 dport=3128 src=196.34.2.188 dst=10.0.1.99 sport=3128 dport=1838 [ASSURED] use=1 mark=2 Here is part of the QOS class stats show no packets being picked up by the filter command: class htb 1:2 parent 1:1001 leaf 2a: prio 0 quantum 1500 rate 22Kbit ceil 120Kbit burst 1627b/8 mpu 0b cburst 1752b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 473600 ctokens: 93492 Thanks Wayne ----- Original Message ----- From: "S Mohan" <smohan@xxxxxxxx> To: "Wayne" <wayne@xxxxxxxxxxxxxxxx>; <lartc@xxxxxxxxxxxxxxx> Sent: Wednesday, August 20, 2003 12:00 PM Subject: RE: [LARTC] FTP Connection Tracking in a Bridge > You must use fwmark setting and not connmark. > > Mohan > -----Original Message----- > From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On > Behalf Of Wayne > Sent: Wednesday, August 20, 2003 2:18 PM > To: lartc@xxxxxxxxxxxxxxx > Subject: [LARTC] FTP Connection Tracking in a Bridge > > > Hello, > I have a box running as a bridge and am trying to track the passive FTP > sessions by marking them with iptables (CONNMARK option installed) and then > trying to pick up the mark using tc filter fwmark. This is not working. > I have checked the marking of the packets and this is working fine because I > can see the marks when I cat /proc/net/ip_conntrack. > Having setup my queues and using the following command: > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > 1:2a > I do not get any traffic going in to this queue. I am running kernel 2.4.21. > My question is whether the packet that I have marked is actually every > getting to the tc filter. As I am running a bridge, does the packet get > marked in iptables PREROUTING, and then go straight to the FORWARD rule and > then out. > What is the sequence in which iptables processes the packet and then the tc > filter processes the packet. > Many thanks > Wayne > >
