Hello, John A. Sullivan III a écrit : > > One thing I'm not sure about is how the mangle table marking is working > with conntrack and it is entirely my ignorance. I think all the packets > pass through mangle although I'm not sure. If that is the case, then > the first packet of the flow will be marked with mark 1, the nat table > will see it and send it to port 1514. If the second packet is part of > the same flow, it will be marked with mark 2 but will never see the nat > table; it will be automatically sent to port 1514. You are correct, except on one detail : conntrack does not perform NAT itself, and packets of an existing flow for which a NAT mapping already exists enter the nat *table* which performs the NAT according to the mapping. They just skip the nat *chains*. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
