On 5/11/06, Bob Ramstad <[EMAIL PROTECTED]> wrote: > I see 22 connections with mark=1 right now, and 7 with mark=0 right > now... and I suspect that if all 22 mark=1 connections were being set > to class 50, the system would be behaving as I'd like.
I really thought I had it, but again, stymied. I came to the conclusion that the connection was being marked, but the packets obviously were not... so when RTFM I stumbled the documentation for TEST :C in tcrules for matching a connection flag vs matching a packet flag, and modified the last line in my recipe: RESTORE:F - - tcp CONTINUE:F - - tcp - - - !0 1:F - - ipp2p ipp2p SAVE:F - - tcp - - - 1 50 - - - - - - 1:C I discovered I needed ipt_conntrack as well as ipt_CONNTRACK loaded to get Shorewall to run with this flag... but then I was quite surprised to discover that this didn't change the behavior at all, I'm still seeing all my p2p traffic with mark=1, but it is falling into the default class 30 aka 130 and not the p2p class 50 aka 150. So, I've hit the proverbial ShoreWall and am mentally exhausted. According to the documentation and the examples, one of these ten or twelve approaches should work, and now that I've apparently got the right couple modules loaded, I would have thought that the last tiny bit would have been a slam dunk. Doesn't appear to be... -- Bob ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
