Does anyone know if these two technologies are compatible?
Yes, they are compatible. RELATED connections inherit the conntrack mark from the parent.
I am using CONNMARK to do policy routing. I use it to select which WAN interface the packet will leave the system. It seems that CONNMARK doesn't mark related traffic. This makes it very hard to implement what I am trying to do.
My rules are as follows:
${IPTABLES} -t mangle -A PREROUTING --source ${_fip} --destination ${_sip} -p ${_proto} -j CONNMARK --set-mark ${_fwmark} -m mark --mark 0
There are two types of marks. There is a conntrack mark, and there is a packet mark.
The above rule only sets the conntrack mark. This conntrack mark will automatically be set for related connections.
But if you want to do routing based on this mark, you have to copy it into the packet mark for every packet in the connection:
${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --restore-mark
-- Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
