TomatoUSB

So far, the closest I've been able to come is to insert my rules into mangle/OUTPUT above the QOSO jump, but this means that the filter I'm using (owner, in this case) is evaluated for _every outbound packet_ even if the socket itself has already been identified and marked.

Ideally I'd like my iptables rule to appear in position 3 of the QOSO chain, but the only place I know to do it (that will survive further GUI interaction) is in the firewall script, and it appears this script gets fired _before_ the QOSO jump is (re)created.

This is a concern for me because matches against OWNER are _far_ more expensive than CONNMARK matches, so I'm seeing a huge amount of time spent in SYS during moderate-to-heavy packet loads.

Any suggestions?

Rodney

The script is fired after running iptables-restore — it truly is the last task in start_firewall() — but it's possible that iptables-restore hasn't finished its work when the script is run.

I haven't had any trouble with using the firewall script to insert into QOSO, but I just noticed that I do have "sleep 5" at the start, and I suspect I put that there for a reason.

As it turns out (in this case), the timing is fine…the owner match _only_ works in OUTPUT or POSTROUTING.

I've ditched even using the owner match strategy and am much happier with the result, so thank you anyway. =)

Rodney