I'm trying to (better) understand chains...
I've created a chain called "known" that should collect all known traffic and apply mark routing mangle based on source IP request. The aim is to apply different route to different customers, based on the IP I've assigned them.
In prerouting chain a jump action is applied to TCP traffic with dest port < 1024, jump goes to known chain where proper routing mark is applied.
Everithing seems to work fine, except for mark-connection. In fact, connections that supposed bo be known but open random ports doesn't work. One of these is ftp in pasv mode: connection starts on port 21, and then server send/receive information on a random port > 1024. In this way jump is not matched any more: it seems that connection related to a known one (ftp server) is not recognized.
If I try thesame connection moving mark-connection into prerouting chain and eliminating the known chain, everything works fine.
This moves me to a question: does mark-connection mangle (and all the others) work properly only into MT defined chains (input/forward/prerouting/output/postrouting) and not into user defined ones?
....
....
add chain=prerouting action=jump jump-target=known dst-port=0-1024 \
protocol=tcp comment="###### TCP < 1024" disabled=no
add chain=prerouting action=jump jump-target=known dst-port=0-1024 \
protocol=udp comment="###### UDP < 1024" disabled=no
.....
....
add chain=known action=passthrough \
comment="######################################## \
CHAIN KNOWN \
###########################################" disabled=no
add chain=known action=mark-connection new-connection-mark=known \
passthrough=yes comment="Mark Connection" disabled=no
add chain=known action=mark-routing new-routing-mark=vs-NGI passthrough=no \
src-address=192.168.5.0/24 connection-mark=known comment=" ### \
Classe 5.0, auth su P2K" disabled=no
...
...