>> What marks, per-packet marks or per-connection marks? >> >I am not sure, how to distinguish, I just mark all pakets that pass -j MARK => per-packet -j CONNMARK => per-connection >through a certain user defined chain. I guess this is a mark per packet. >The particular chain lookes like this: > > >Chain FWD_WWW-101 (2 references) >target prot opt source destination >ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 quota: >100000000 bytes >MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK >set 0x65 >ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 quota: >1000000 bytes >MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK >set 0x1 MARK is only allowed in the mangle table. > > >The goal is to provide full network speed for all NATed computers >for a certain amount of bytes (first quota match), then mark their >packets individually (each computer has its own mangle chain >(FWD_WWW-$computernumber)) with its computernumber in hex, so tc can >slow down their connection to 56k and after the "slow quota" is used >up, the users packets get a different mark (mark 1) and get a DNAT >to an Over Quota webpage, when the user tries to access an outside >webpage, other connectionattempts get droped. > > >The problem is now, that pakets get marked with the mark 0x1, but in >PREROUTING nat table, this mark never appears. http://www.imagestream.com/~josh/PacketFlow.png PREROUTING comes before FORWARD. > >Thanks, Clemens > > Jan Engelhardt --
