Hello, John Lister a écrit : > I thought local packets went through this chain > > mangle(OUTPUT) -> nat (OUTPUT) -> OUTPUT -> routing decision -> mangle > (POSTROUTING) -> nat (POSTROUTING) Actually there is an initial decision routing when the packet is created before the OUTPUT chains, in order to select the output interface and source address. Also after "nat (OUTPUT)" it should be "filter (OUTPUT)". [...] > ip rule add fwmark 111 table 111 > ip rule add fwmark 222 table 222 > > iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark > iptables -t mangle -A OUTPUT -m mark --mark 0 -m state --state NEW -m > statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 111 > iptables -t mangle -A OUTPUT -m mark --mark 0 -m state --state > -j MARK --set-mark 111 Isn't something missing in that rule ? Also, I can see no iptables rule setting mark 222. > I would hope that the first set of iptables rules mark the packets before > the routing rules forward them on their way This is normally what happens. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
