Can you describe the scenario in the more details? Maybe there is other way to achieve the result what you want to get. On Wed, 29 May 2019 at 19:53, Felipe Arturo Polanco <felipeapolanco@xxxxxxxxx> wrote: > > I understand, is there a way to move the packet back to raw? Like a goto target or jump to table? > > On Wed, May 29, 2019, 12:40 PM Anton Danilov <littlesmilingcloud@xxxxxxxxx> wrote: >> >> Unfortunately, it's impossible. >> The connmark target uses the conntrack entry associated with the >> packet, but this association is done after the raw/PREROUTING, so you >> cannot use it before. >> >> >> On Wed, 29 May 2019 at 19:34, Felipe Arturo Polanco >> <felipeapolanco@xxxxxxxxx> wrote: >> > >> > Hi, >> > >> > We have a specific scenario where we need to use conntrack zones along >> > with connmarks. >> > >> > In our tests we saw that connmarks are fully restored in mangle table, >> > but we need them available in raw table in order to assign the >> > corresponding zone: >> > >> > eg: >> > iptables -t raw -I PREROUTING -j CONNMARK --restore-mark >> > iptables -t raw -A PREROUTING -m mark --mark 2 -j CT --zone 2 >> > >> > Sadly, we haven't been able to make this work, by looking at the TRACE >> > log, the mark is not restored in raw table, but in mangle table. >> > Since mangle table already happens after conntrack processing, we >> > cannot assign the zone. >> > >> > Any idea how we can approach this? >> > >> > Thanks, >> >> >> >> -- >> Anton Danilov. -- Anton Danilov.
