I haven't really understood that in the documentation I've found, but
my understanding was that connmark and mark do not set the same type of
mark (so packets marked using connmark won't match the fwmark of
iproute2).
Or am I wrong with that?
Apart from that: I experienced the same problem (very similar
situation, another port, however ;-) and haven't been able to resolve
it yet.
The only thing I've found out was that the rewrite of the reply packets
does not really work - with exactly the effect thet you've described:
connection stuck in SYN_RECV forever.
Baltasar
--
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de
