> Here is the corrected script: > > > 1: iptables -N NEW_CONN -t mangle > 2: iptables -A NEW_CONN -t mangle -m tos --tos 12 -j MARK --set-mark 1 > 3: iptables -A NEW_CONN -t mangle -m tos --tos 28 -j MARK --set-mark 2 > 4: iptables -A NEW_CONN -t mangle -m mark --mark 0 -j MARK --set-mark 3 > 5: iptables -A NEW_CONN -t mangle -j CONNMARK --save-mark > 6: > 7: iptables -A PREROUTING -t mangle -m conntrack --ctstate INVALID -j > DROP > 8: iptables -A PREROUTING -t mangle -m conntrack --ctstate ESTABLISHED -j > CONNMARK --restore-mark > 9: iptables -A PREROUTING -t mangle -m conntrack --ctstate NEW,RELATED -j > NEW_CONN Ingress qdisc traffic is handled before conntrack has seen the traffic, so the mark you're restoring hasn't actually been restored at the time when your classifier rules are executing. It's a general problem that makes ingress shaping based upon connection information difficult to achieve. The only way I've found to solve this is to classify directly in TC without the use of conntrack/marks, or use IMQ (http://www.linuximq.net/). Perhaps there's a clever way to hook into connmark with act_ipt, but I haven't found it. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
