> And, i'm really angry, i don't understand why. ;-(((
Seems that all the trouble came from restoring connmarks on PREROUTING.
Now my script:
1) ignore PREROUTING and INPUT.
2) restore connmark on FORWARD and mark packet accordingly:
$IPT -t mangle -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED \
-j CONNMARK --restore-mark
$IPT -t mangle -A FORWARD -m state --state NEW -j mrk-pre-fwd
$IPT -t mangle -A FORWARD -m state --state NEW -m mark --mark 0 -j mrk-post-fwd
3) idem on OUTPUT (without the state check, proven to be a bit
unreilable...):
$IPT -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED \
-j CONNMARK --restore-mark
$IPT -t mangle -A OUTPUT -j mrk-pre-out
$IPT -t mangle -A OUTPUT -m mark --mark 0 -j mrk-post-out
5) default and save on POSTROUTING:
$IPT -t mangle -A POSTROUTING -m mark --mark 0 -j MARK --set-mark $DEFAULT
$IPT -t mangle -A POSTROUTING -j CONNMARK --save-mark
And now works. Packet are marked right, and there's no stalls of
connection.
Boh...
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
