Hi list, My setup is: - kernel 2.6.18.2, iptables 1.3.5, - only IPv4, no IPv6, - kernel .config includes CONFIG_IP_NF_MANGLE=n (no mangle table). I simply want to use the CONNMARK target (and the associated connmark match) in the filter table (OUTPUT chain). I'm aware that I won't be able to use the "--restore-mark" option since I won't be in the mangle table (I saw that net/netfilter/xt_CONNMARK.c's checkentry prevents it -- unless I'm missing something, that's the only mangle-related thing in that file). But I should be able to use the "--set-mark" option in the filter table, shouldn't I? Unfortunately, the kernel configurator doesn't let me select the CONNMARK target: in net/netfilter/Kconfig, NETFILTER_XT_TARGET_CONNMARK has a dependency on IP_NF_MANGLE || IP6_NF_MANGLE (both of which are "n" here, so no CONNMARK target for me). I was wondering, what is the reason for this? It feels weird having to activate the mangle table when I don't want it, only in order to be allowed to compile xt_CONNMARK.c... Thanks, Francois
