Andy Furniss wrote:
<snip>
To accomodate your need for b), the idea would be as follows:
packet gets demasquared, mark it with a fwmark
I guess you really mean mark then demasquerade.
based on some recognition
you have for bittorent or squid and lastly policy route it to the dummy
device based on fwmark (since routing happens last).
I will need to modify the dummy to not drop such packets which are
fwmarked.
OK I can see this as a possibility - assuming I can mark. Maybe conmark
will be OK with connbytes sometime. I don't really know how to use it,
but if it is possible to mark egress connections in output and have
connmark match their incoming packets that would be a solution. I
haven't got a clue if connmark can do this, though, just speculating.
Hmm second thoughts - if I can route packets to dummy after demasquerade
then I don't need to mark - I can use u32 as I do now to seperate per
IP. Am I missing something here?
Does anyone else know, and why it's not compatable with connbytes?
Andy.
cheers,
jamal
|