Hi, can you please help me, my head will explode, I cannot figure out a simple thing.

Here is the problem.
A very very simple mangle, I know third rule is same as second, but between I have some packet and conn marks for HTTP, properly set with passthrough=no, every thing is counting properly.

For start I added queue tree GLOBAL-IN
This queue dont count ANY packet when last MANGLE is enabled (mangle 2 in this post ), when I disable MANGLE 2 everything is OK.

Why is that happening, the same situation is with complete mangle rules. All mangle rules properly count marked conns and packets.

The idea of the last mangle is to pickup all traffic that is not mangled before so I need that rule.

Very simple to someone but my head cant take it anymore.

If you enable last rule then packet mark set in previous rule is overwritten from ALL_PACK_DOWN to REST_DOWN
But queue has packet-mark=ALL_PACK_DOWN

hm, so how can I then set all download packet mark to parent global-in?

If I disable last rule then I dont have rest of the connections marked

DO you have all_CONN_UP connection mark? If yes, thats the problem!


Connections can't be upload or download, usually they are bothdirectional (from conntrack point of view) so you must do

mark all connections
-- if interface local - mark all upload packets
-- if interface public - mark all download packets

I disabled ALL UP conn marks, whe I tried this. But Ill try your suggestion.

Connections are in both directions, but how can I mark upload and how to mark download ?

mark all connections
-- if interface local - mark all upload packets
-- if interface public - mark all download packets

thx, Im exhausted so couldnt see it.

Also Note that your rules did not work because

Your rule :
1 chain=prerouting in-interface=WAN connection-mark=ALL_CONN_DOWN action=mark-packet
new-packet-mark=ALL_PACK_DOWN passthrough=yes

Should have been set to passthrough=no

As a result of passing through it matched rule 2 and got remarked.

I have to pass conn mark so packet mark can work. On packet mark I set pass through=no so that marked traffic is not marked twice or more . . .

Is there any difference in mangling traffic on MT that is doing NAT and on MT without NAT.

Is there ONE universal way of marking UPLOAD and DOWNLOAD ?

there is no difference, you just have to mind changing addresses, that's all