Hello, On Tuesday, 2008 September 2 at 11:44:18 -0700, jon hale wrote: > On Mon, Sep 1, 2008 at 6:14 AM, Patrick McHardy <kaber@xxxxxxxxx> wrote: > > jon hale wrote: > >> > >> I have a problem when I combine owner-gid, fwmark, and iproute2. > >> I am starting to wonder if I can really get there from here. > >> > >> Synopsis: > >> I have been trying to set up policy routing based upon the group id > >> of the process sending the packets. > >> > >> It works for most packets, but there is some scenario that happens > >> at > >> the end of every ftp upload, where the packet goes out the wrong > >> interface and gums up the works. > > > > The stack may send packets that don't belong to the original socket. > > You need to use CONNMARK to make sure all packets of a connection > > are marked similar. > > > Hmm, I thought I was using CONNMARK > I do have the iptables command: > iptables -t mangle -A OUTPUT -j CONNMARK --save-mark > > Is there something else I need as well? maybe: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark BR, -- Eric Leblond INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
