Hi Florian,
Lets start with iptables setting
iptables -t mangle
Chain EXAMPLE_MAIN
pkts bytes target prot opt in out source destination
3709K 204M MARK all -- any any anywhere anywhere MARK and 0xfffff
37 6952 CONNMARK all -- any any anywhere anywhere CONNMARK restore mask 0xfff00000
0 0 MARK udp -- any any anywhere anywhere match .... and MARK xset 0xabc00000/0xfff00000
5 308 CONNMARK all -- any any anywhere anywhere CONNMARK save mask 0xfff00000
For the first packet of 'a' flow we mark the packet with fwmark = ct->mark.
ip rule
then direct traffic using such fwmark.
250: from all fwmark 0xabc lookup TABLE
However, we also implemented firewall feature, packet inspection feature.... etc to use fwmark at the same time.
which makes such 32 bit far more occupied than ct->mark (32)..
Hopefully this can help!
Please let me know if this confuses you..
Thanks,
Jack--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
