Has marks with conntrack changed?
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
for example (simplified use case) iptables -t mangle -A PREROUTING -j CONNMARK --restore-markiptables -t mangle -A PREROUTING -m mark --mark 0 -m state --state NEW -j MARK
iptables -t mangle -A MARK -j MARK --set-mark 1 iptables -t mangle -A MARK -j CONNMARK --save-markwhich worked fine until recently when I think the box was upgraded. By fine I mean when a new connection was started the mark was set at 0, which would match the rule and then set the mark before saving it in conntrack. Now it seems the mark is saved across connections. for example making 2 separate pings used to result in the mark being 0 initially and then getting set, now the mark is set to 1 on the second ping after it gets restored.
Is this the correct behaviour or is conntrack now tracking similar connections for the restore-mark?
Any hints would be appreciated. John ps. currently running kernel 2.6.31-23 -- www.pricegoblin.co.uk -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html