On Wed, 2014-08-13 at 17:00 +0200, George Amanakis wrote: > Dear All, > > I would be glad if you could help me out. I am running the following > script: > > -------------- cut - here ----------------- > > iptables -t mangle -N QOS > iptables -t mangle -A FORWARD -o eth0 -j QOS > iptables -t mangle -A OUTPUT -o eth0 -j QOS > iptables -t mangle -A QOS -j MARK --set-mark 3 > > iptables -t mangle -A PREROUTING -m mark --mark 3 -j ACCEPT ### (counter) > > tc qdisc add dev eth0 root handle 1: htb > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ > match u32 0 0 classid :1 \ > action xt -j CONNMARK --save-mark > > tc qdisc add dev eth0 ingress handle ffff: > tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \ > match u32 0 0 classid :1 \ > action xt -j CONNMARK --restore-mark > > -------------- cut - here ----------------- > > Now if I insert (-I) in "PREROUTING" a "CONNMARK --restore-mark", my > counter shows that egress filter "tc filter ... parent 1: ... CONNMARK > --save-mark"marked them correctly. > > However, if I remove the "CONNMARK --restore-mark" from "PREROUTING" my > counter shows no traffic. This means that the ingress filter "tc filter > ... parent ffff: ... CONNMARK --restore-mark" is not working. If I've understood correctly, you're trying to restore a netfilter MARK during ingress? If so, I'm not sure this will be possible, as any ingress processing is done before the traffic hits the netfilter stack, so it will have no knowledge of connection tracking: http://inai.de/images/nf-packet-flow.svg Happy to be corrected if I'm wrong! Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
