Mandi! Andrew Beverley In chel di` si favelave... > You can't. IFB hooks into the interface *before* iptables, so you won't > see any marks on the packets. I supposed that. But because i use 'connmark save'/'connmark restore' i supposed also that in the ifb interface i can simply restore the marks, loosing only some 'new' traffic in input (that for a firewall/gateway it is not a problem). But i'm astonished, ifb looks like a ''normal'' interface but have no netfilter at all... confirmed by a google search. > Yes, this is your only chance. I've not used IMQ for a long time, but > from memory you can choose where to hook it into iptables. Question 4 of Cool! > The disadvantage is that you'll need to patch your kernel unfortunately. Sure? Both LARTC and the FAQ you cite say that the hook are *after* the mangle PREROUTING table, so seems that works... Ahem, but now i've a bigger trouble: tank:~# find /lib/ -name \*IMQ\* tank:~# grep -i imq /boot/config-2.6.32-5-686 tank:~# apt-cache search imq tank:~# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320965 Seems that IMQ are totally removed from recent debian (at least from lenny), so i'm again stopped. Ok, seems there's no way to do ingress policying on linux using fwmark. ;( -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
