Unfortunately, it's impossible. The connmark target uses the conntrack entry associated with the packet, but this association is done after the raw/PREROUTING, so you cannot use it before. On Wed, 29 May 2019 at 19:34, Felipe Arturo Polanco <felipeapolanco@xxxxxxxxx> wrote: > > Hi, > > We have a specific scenario where we need to use conntrack zones along > with connmarks. > > In our tests we saw that connmarks are fully restored in mangle table, > but we need them available in raw table in order to assign the > corresponding zone: > > eg: > iptables -t raw -I PREROUTING -j CONNMARK --restore-mark > iptables -t raw -A PREROUTING -m mark --mark 2 -j CT --zone 2 > > Sadly, we haven't been able to make this work, by looking at the TRACE > log, the mark is not restored in raw table, but in mangle table. > Since mangle table already happens after conntrack processing, we > cannot assign the zone. > > Any idea how we can approach this? > > Thanks, -- Anton Danilov.
