2012/12/13, Andrew Collins <bsderandrew@xxxxxxxxx>: >> Here is the corrected script: >> >> >> 1: iptables -N NEW_CONN -t mangle >> 2: iptables -A NEW_CONN -t mangle -m tos --tos 12 -j MARK --set-mark 1 >> 3: iptables -A NEW_CONN -t mangle -m tos --tos 28 -j MARK --set-mark 2 >> 4: iptables -A NEW_CONN -t mangle -m mark --mark 0 -j MARK --set-mark >> 3 >> 5: iptables -A NEW_CONN -t mangle -j CONNMARK --save-mark >> 6: >> 7: iptables -A PREROUTING -t mangle -m conntrack --ctstate INVALID -j >> DROP >> 8: iptables -A PREROUTING -t mangle -m conntrack --ctstate ESTABLISHED >> -j >> CONNMARK --restore-mark >> 9: iptables -A PREROUTING -t mangle -m conntrack --ctstate NEW,RELATED >> -j >> NEW_CONN > > Ingress qdisc traffic is handled before conntrack has seen the > traffic, so the mark you're restoring hasn't actually been restored at > the time when your classifier rules are executing. It's a general > problem that makes ingress shaping based upon connection information > difficult to achieve. > > The only way I've found to solve this is to classify directly in TC > without the use of conntrack/marks, or use IMQ > (http://www.linuximq.net/). Perhaps there's a clever way to hook into > connmark with act_ipt, but I haven't found it. > The traffic will be ingress on eth0.2, but it will be treated as egress on ifb0 device. Using ifb is a common scheme to overcome the above-mentioned limitation. -- Best regards Anatoly Muliarski -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
