On 5/12/06, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote:
Hello, Frank a écrit : > Also, after much time banging my head against the wall trying to > figure out why my marks were ignored, I discovered that in spite of > what the netfilter packet traversal diagram shows, marks set in > PREROUTING are ignored for packets originating on the box doing the > routing, and the marks need to be set on the OUTPUT chain for that > case "In spite" ? What are you tacking about ? That's exactly what the Netfilter diagram shows : locally generated packets don't go through the PREROUTING chain - except when sent to (and therefore received back from) the loopback interface.
Yes, you are correct about PREROUTING, although there was dual-homed howto that made no mention of how to handle locally-generated traffic but just used PREROUTING, and I initially went down that dead-end That's what I get for taking an example config at face value and not doing sufficient research. However, diagrams such as the one at http://www.docum.org/docum.org/kptd/ show the routing decision made before the OUTPUT chain, making me believe setting a mark there wouldn't work. After further research I discovered that the routing decision is revisited if the packet is later changed (i.e., a mark being set in the OUTPUT chain), and that important detail seems to be left out of the traversal diagrams I've found before now (the one mentioned above does have some notes below it mentioning the rerouting, but otherts I found didn't).
