And this?
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m connmark ! --mark 0 -j ACCEPT
iptables -t mangle -A OUTPUT -j MARK --set-mark 9
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
----- Original Message -----
From: "Ian! D. Allen" <idallen@xxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Friday, February 18, 2005 9:40 AM
Subject: CONNMARK save-mark and restore-mark not working ?
> I think this pair (marking connections with "9"):
>
> iptables -t mangle -A OUTPUT -j MARK --set-mark 9
> iptables -t mangle -A OUTPUT -j CONNMARK --set-mark 9
>
> should be equivalent to this pair:
>
> iptables -t mangle -A OUTPUT -j MARK --set-mark 9
> iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
>
> The first pair works - I get mark=9 entries in /proc/net/ip_conntrack .
> The second pair does not - I get no marks at all in ip_conntrack.
>
> I think this pair should set packet marks from the ip_conntrack marks:
>
> iptables -t mangle -A OUTPUT -j CONNMARK --set-mark 9
> iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
>
> It does not - the packets aren't marked:
>
> Chain OUTPUT (policy ACCEPT 2989 packets, 395K bytes)
> pkts bytes target prot opt in out source
destination
> 1695 178K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK set 0x9
> 1695 178K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
> 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x9 LOG flags 1 level 7 prefix `IDAMARK '
> 1695 178K all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0
>
> What am I missing?
>
> Linux elm 2.6.10-1mdk #2 Sat Jan 29 13:10:11 EST
> 2005 i686 AMD Athlon(tm) XP 3200+ unknown GNU/Linux
>
> --
> -IAN! Ian! D. Allen Ottawa, Ontario, Canada
> EMail: idallen@xxxxxxxxxx WWW: http://www.idallen.com/
> College professor (Linux) via: http://teaching.idallen.com/
> Support free and open public digital rights: http://eff.org/
>
>
