Hi,

Just a quick arb question I think... In all the examples I've seen... There is a connection-mark as well as a packet-mark. Why?

Surely, if you match on packets only it should include the initial connection regardless? I'm just wondering whether two rules are actually needed or not...

tcp connection is virtually two opposite streams: from A to B and from B to A.
if you mark only packets, you should use two rules: (scr=A dst=B) and (src=B dst=A). or you just mark the connection, and then mark all of the connection's packets =)
plus, when using NAT, the router watches connection's addresses, not you