|
I saw this snippet from
Daniel Chemko dchemko@xxxxxxxxxx
Mon, 31 May 2004 09:30:43 -0700 # Egress marking (mostly for QOS operations)
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK --set-mark 0x111 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark I want to mark many packets, including
FTP.
So above these lines, I have a few more lines in my
script. Like the following...
iptables -t mangle -A POSTROUTING -p icmp -j MARK
--set-mark 0x110
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK --set-mark 0x111 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark So, when an ICMP packet comes to the 2nd
('restore-mark') line, it is already marked with 0x110. Will the restore-mark
mark the packet with 0 since there is no connmark set for ICMP? Or it will leave
the packet untouched?
In that case, I can not redirect the ICMP packet to
the class I defined for it.
What is the solution for this issue? What to do if
I have different classification marks, some use connmark and some does not(just
fw mark)?
regards
Salim
|
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
