* CONNMARK versus MARK
@ 2007-01-12 21:00 ArcosCom Linux User
2007-01-12 22:46 ` Jan Engelhardt
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: ArcosCom Linux User @ 2007-01-12 21:00 UTC (permalink / raw)
To: netfilter
Another question, this time is about CONNMARK and MARK.
I stand that when CONNMARK put a mark, this mark will be applied for every
related traffic (I supose conntrack modules do it) after CONNMARK put the
mark. Am I in truth?
Analogous with MARK, that only applies to the frame. Is it?
Fine, using the above, when 1 client start TCP connection, that has not
any specific conntrack module for it, and I use something as this:
iptables -t mangle -A POSTROUTING ${condition} -m state --state NEW -j
CONNMARK --set-mark 0x1
Then:
iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -j
CONNMARK --save-mark
iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -m
connmark ! --mark 0x0 -j RETURN
Can I supose that when the connection is in state RELATED or ESTABLISHED
the core netfilter will automaticaly mark the response frame (ACK) with
the same mark? or I must be more accurate using MARK/mark?
Explain a bit the question:
1) The frame should be TCP or UDP and is marked as 0x1 when go out from
(or forwading) the box.
2) The frame is responsed (TCP with ACK or UDP with another frame to
the same source port).
3) How netfilter will mark the connection if it has not handled by a
conntrack module? Will it mark the connection? or I have to control the
answered frame too?.
I'm a bit confuse with the iptables help/man text about this question:
MARK target v1.3.7 options:
--set-mark value Set nfmark value
--and-mark value Binary AND the nfmark with value
--or-mark value Binary OR the nfmark with value
CONNMARK target v1.3.7 options:
--set-mark value[/mask] Set conntrack mark value
--save-mark [--mask mask] Save the packet nfmark in the connection
--restore-mark [--mask mask] Restore saved nfmark value
CONNMARK match v1.3.7 options:
[!] --mark value[/mask] Match nfmark value with optional mask
MARK match v1.3.7 options:
[!] --mark value[/mask] Match nfmark value with optional mask
And, sometimes, I think that there are two fields for the mark, one for
the whole connection and another for the frame.
Anyone more experienced could explain this a bit?
Thanks!!
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: CONNMARK versus MARK
2007-01-12 21:00 CONNMARK versus MARK ArcosCom Linux User
@ 2007-01-12 22:46 ` Jan Engelhardt
2007-01-14 21:21 ` ArcosCom Linux User
2007-01-16 19:44 ` ArcosCom Linux User
2 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2007-01-12 22:46 UTC (permalink / raw)
To: ArcosCom Linux User; +Cc: netfilter
>Another question, this time is about CONNMARK and MARK.
>
>I stand that when CONNMARK put a mark, this mark will be applied for every
>related traffic (I supose conntrack modules do it) after CONNMARK put the
>mark. Am I in truth?
man iptables:
CONNMARK
This module sets the netfilter mark value associated with a
connection
>
>Analogous with MARK, that only applies to the frame. Is it?
Ethernet frames?
>Fine, using the above, when 1 client start TCP connection, that has not
>any specific conntrack module for it, and I use something as this:
>
>iptables -t mangle -A POSTROUTING ${condition} -m state --state NEW -j
>CONNMARK --set-mark 0x1
>
>Then:
>
>iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -j
>CONNMARK --save-mark
>iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -m
>connmark ! --mark 0x0 -j RETURN
>
>Can I supose that when the connection is in state RELATED or ESTABLISHED
>the core netfilter will automaticaly mark the response frame (ACK) with
>the same mark? or I must be more accurate using MARK/mark?
Not sure if --save-mark is inteded here.
>Explain a bit the question:
> 1) The frame should be TCP or UDP and is marked as 0x1 when go out from
>(or forwading) the box.
> 2) The frame is responsed (TCP with ACK or UDP with another frame to
>the same source port).
> 3) How netfilter will mark the connection if it has not handled by a
>conntrack module? Will it mark the connection? or I have to control the
>answered frame too?.
>
>I'm a bit confuse with the iptables help/man text about this question:
>
>MARK target v1.3.7 options:
> --set-mark value Set nfmark value
> --and-mark value Binary AND the nfmark with value
> --or-mark value Binary OR the nfmark with value
>
>CONNMARK target v1.3.7 options:
> --set-mark value[/mask] Set conntrack mark value
> --save-mark [--mask mask] Save the packet nfmark in the connection
> --restore-mark [--mask mask] Restore saved nfmark value
>
>CONNMARK match v1.3.7 options:
>[!] --mark value[/mask] Match nfmark value with optional mask
>
>MARK match v1.3.7 options:
>[!] --mark value[/mask] Match nfmark value with optional mask
>
>And, sometimes, I think that there are two fields for the mark, one for
>the whole connection and another for the frame.
Correct. (packet, not frame) There are yet more, though.
>
>Anyone more experienced could explain this a bit?
>
>Thanks!!
>
>
-`J'
--
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: CONNMARK versus MARK
2007-01-12 21:00 CONNMARK versus MARK ArcosCom Linux User
2007-01-12 22:46 ` Jan Engelhardt
@ 2007-01-14 21:21 ` ArcosCom Linux User
2007-01-16 19:44 ` ArcosCom Linux User
2 siblings, 0 replies; 4+ messages in thread
From: ArcosCom Linux User @ 2007-01-14 21:21 UTC (permalink / raw)
To: netfilter
Any help?
Thanks
El Vie, 12 de Enero de 2007, 22:00, ArcosCom Linux User escribió:
> Another question, this time is about CONNMARK and MARK.
>
> I stand that when CONNMARK put a mark, this mark will be applied for every
> related traffic (I supose conntrack modules do it) after CONNMARK put the
> mark. Am I in truth?
>
> Analogous with MARK, that only applies to the frame. Is it?
>
> Fine, using the above, when 1 client start TCP connection, that has not
> any specific conntrack module for it, and I use something as this:
>
> iptables -t mangle -A POSTROUTING ${condition} -m state --state NEW -j
> CONNMARK --set-mark 0x1
>
> Then:
>
> iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -j
> CONNMARK --save-mark
> iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -m
> connmark ! --mark 0x0 -j RETURN
>
> Can I supose that when the connection is in state RELATED or ESTABLISHED
> the core netfilter will automaticaly mark the response frame (ACK) with
> the same mark? or I must be more accurate using MARK/mark?
>
> Explain a bit the question:
> 1) The frame should be TCP or UDP and is marked as 0x1 when go out from
> (or forwading) the box.
> 2) The frame is responsed (TCP with ACK or UDP with another frame to
> the same source port).
> 3) How netfilter will mark the connection if it has not handled by a
> conntrack module? Will it mark the connection? or I have to control the
> answered frame too?.
>
> I'm a bit confuse with the iptables help/man text about this question:
>
> MARK target v1.3.7 options:
> --set-mark value Set nfmark value
> --and-mark value Binary AND the nfmark with value
> --or-mark value Binary OR the nfmark with value
>
> CONNMARK target v1.3.7 options:
> --set-mark value[/mask] Set conntrack mark value
> --save-mark [--mask mask] Save the packet nfmark in the connection
> --restore-mark [--mask mask] Restore saved nfmark value
>
> CONNMARK match v1.3.7 options:
> [!] --mark value[/mask] Match nfmark value with optional mask
>
> MARK match v1.3.7 options:
> [!] --mark value[/mask] Match nfmark value with optional mask
>
> And, sometimes, I think that there are two fields for the mark, one for
> the whole connection and another for the frame.
>
> Anyone more experienced could explain this a bit?
>
> Thanks!!
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: CONNMARK versus MARK
2007-01-12 21:00 CONNMARK versus MARK ArcosCom Linux User
2007-01-12 22:46 ` Jan Engelhardt
2007-01-14 21:21 ` ArcosCom Linux User
@ 2007-01-16 19:44 ` ArcosCom Linux User
2 siblings, 0 replies; 4+ messages in thread
From: ArcosCom Linux User @ 2007-01-16 19:44 UTC (permalink / raw)
To: netfilter
Please, help a bit with this.
Thanks!!
El Vie, 12 de Enero de 2007, 22:00, ArcosCom Linux User escribió:
> Another question, this time is about CONNMARK and MARK.
>
> I stand that when CONNMARK put a mark, this mark will be applied for every
> related traffic (I supose conntrack modules do it) after CONNMARK put the
> mark. Am I in truth?
>
> Analogous with MARK, that only applies to the frame. Is it?
>
> Fine, using the above, when 1 client start TCP connection, that has not
> any specific conntrack module for it, and I use something as this:
>
> iptables -t mangle -A POSTROUTING ${condition} -m state --state NEW -j
> CONNMARK --set-mark 0x1
>
> Then:
>
> iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -j
> CONNMARK --save-mark
> iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -m
> connmark ! --mark 0x0 -j RETURN
>
> Can I supose that when the connection is in state RELATED or ESTABLISHED
> the core netfilter will automaticaly mark the response frame (ACK) with
> the same mark? or I must be more accurate using MARK/mark?
>
> Explain a bit the question:
> 1) The frame should be TCP or UDP and is marked as 0x1 when go out from
> (or forwading) the box.
> 2) The frame is responsed (TCP with ACK or UDP with another frame to
> the same source port).
> 3) How netfilter will mark the connection if it has not handled by a
> conntrack module? Will it mark the connection? or I have to control the
> answered frame too?.
>
> I'm a bit confuse with the iptables help/man text about this question:
>
> MARK target v1.3.7 options:
> --set-mark value Set nfmark value
> --and-mark value Binary AND the nfmark with value
> --or-mark value Binary OR the nfmark with value
>
> CONNMARK target v1.3.7 options:
> --set-mark value[/mask] Set conntrack mark value
> --save-mark [--mask mask] Save the packet nfmark in the connection
> --restore-mark [--mask mask] Restore saved nfmark value
>
> CONNMARK match v1.3.7 options:
> [!] --mark value[/mask] Match nfmark value with optional mask
>
> MARK match v1.3.7 options:
> [!] --mark value[/mask] Match nfmark value with optional mask
>
> And, sometimes, I think that there are two fields for the mark, one for
> the whole connection and another for the frame.
>
> Anyone more experienced could explain this a bit?
>
> Thanks!!
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-01-16 19:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-01-12 21:00 CONNMARK versus MARK ArcosCom Linux User
2007-01-12 22:46 ` Jan Engelhardt
2007-01-14 21:21 ` ArcosCom Linux User
2007-01-16 19:44 ` ArcosCom Linux User
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.