I have found something that may be a bug in iptables-save or in kernel 'rateest' code. # iptables -t mangle -A Balance -m conntrack --ctstate NEW -m rateest --rateest1 wan1meter --rateest-bps 1000kbit --rateest-bps1 1000kbit --rateest-gt --rateest2 wan2meter --rateest-delta -j CONNMARK --set-mark 1 its corresponding line in iptables -L is: CONNMARK all -- anywhere anywhere ctstate NEW rateest match wan1meter delta bps 1000Kbit gt wan2meter delta bps 1000Kbit CONNMARK set 0x1 so it seems to be right, but this line in iptables-save is: -A Balance -m conntrack --ctstate NEW -m rateest --rateest1 wan1meter --rateest-bps --rateest-gt --rateest2 wan2meter -j CONNMARK --set-xmark 0x1/0xffffffff There is neither bps value nor delta parameter, so after iptables-restore with the generated file, this iptables rule becames: CONNMARK all -- anywhere anywhere ctstate NEW rateest match wan1meter bps gt wan2meter bps CONNMARK set 0x1 I guess the bug is in iptables-save and not in the kernel but really I don't know if the kernel honours these parameters. (iptables version 1.4.10, Debian kernel 2.6.38-2-amd64) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
