Btw. Obviously you could just skip the '--syn' match, MARK all tcp packets to those ports, and rely on fwmark rule for everything (and not just the SYN packets) and not even bother with the 'from 192.168.100.3' rule. But that would be boring and not showing the issue at hand. ;-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
