I'm playing with connmarks to match SIP and h323 traffic, and i've loaded the connmark modules. Debian squeeze: tank:~# uname -a Linux tank 2.6.32-5-686 #1 SMP Fri May 10 08:33:48 UTC 2013 i686 GNU/Linux tank:~# iptables -V iptables v1.4.8 I've setup some rule like (on mangle table): -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff -A FORWARD -m state --state NEW -m mark --mark 0x0 -j mrk-post-fwd and: -A mrk-post-fwd -m helper --helper "h323" -j MARK --set-xmark 0x1/0xffffffff -A mrk-post-fwd -m helper --helper "h323" -j RETURN -A mrk-post-fwd -m helper --helper "sip" -j MARK --set-xmark 0x1/0xffffffff -A mrk-post-fwd -m helper --helper "sip" -j RETURN but the counter on that rule remain 0. I suppose it is right, because the rtp traffic come after the session (SIP or h323) was established, and so correctly accounted: so the first rule restore the mark on RTP traffic also. Or i'm missing something, eg the two rules on FORWARD chain work only on TCP and so all the UDP traffic got skipped (and generic-marked on a ''last resort'' rule at the end?). How can i ''debug'' these things? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/chi_siamo/5xmille.php (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
