Re: IMQ / new Dummy device post.

[Andy Furniss <andy.furniss@xxxxxxxxxxxxx>]

Martin Josefsson wrote:
> On Sun, 2004-04-18 at 22:53, jamal wrote:
>
> > On Sun, 2004-04-18 at 12:35, Andy Furniss wrote:
> >
> >
> > > Connmark is a netfilter patch which is required by the type of P2P 
> > > limiting/marking projects on sf.net that could mark bittorrent traffic. 
> > just from the sounds of it, appears it may be able to mark a group of
> > related flows with the same fwmark.
>
> connmark is like nfmark but it marks the connection-entry in
> ip_conntrack instead. And then you can "restore" that mark to the nfmark
> of the packet at any time you want with filter rules.
>
>
> > > will be OK with connbytes sometime. I don't really know how to use it, 
> > > but if it is possible to mark egress connections in output and have 
> > > connmark match their incoming packets that would be a solution. I 
> > > haven't got a clue if connmark can do this, though, just speculating.
> > > Does anyone else know, and why it's not compatable with connbytes?
> > some of the netfilter people should be able to help.
>
> with connmark you mark the connection, and then you can "restore" that
> mark to packets in either direction in the mangle table of iptables.
>
> connmark isn't incompatible with connbytes. It's just that both patches
> modify the same part of the code, a struct, and the patch program can't
> handle that. You'll have to fix some rejects by hand, that's it.
Thanks for that - though I hope not to have to use it now, just to 
confirm - does it work in all of the 5 mangle tables or more 
specifically could I mark every connection from local processes in 
output and restore the marks in prerouting?
Andy.