So, something marked with -j MARK can't be matched on nat table, right?
What if after you mark the packet with -j MARK, you do "-m mark --mark X
-j CONNMARK --save-mark"; it should be visible from nat table or must be
marked with -j CONNMARK --set-mark?
What marks, per-packet marks or per-connection marks?
I am not sure, how to distinguish, I just mark all pakets that pass
-j MARK => per-packet
-j CONNMARK => per-connection
through a certain user defined chain. I guess this is a mark per packet.
The particular chain lookes like this:
Chain FWD_WWW-101 (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 quota:
100000000 bytes
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK
set 0x65
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 quota:
1000000 bytes
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK
set 0x1
MARK is only allowed in the mangle table.
The goal is to provide full network speed for all NATed computers
for a certain amount of bytes (first quota match), then mark their
packets individually (each computer has its own mangle chain
(FWD_WWW-$computernumber)) with its computernumber in hex, so tc can
slow down their connection to 56k and after the "slow quota" is used
up, the users packets get a different mark (mark 1) and get a DNAT
to an Over Quota webpage, when the user tries to access an outside
webpage, other connectionattempts get droped.
The problem is now, that pakets get marked with the mark 0x1, but in
PREROUTING nat table, this mark never appears.
http://www.imagestream.com/~josh/PacketFlow.png
PREROUTING comes before FORWARD.
Thanks, Clemens
Jan Engelhardt
--
