Re: ftp connmark

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The line:
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
Will cause the packet to not be processed any ruther if the mark is not 0.   You can place this rule after any --set-mark rules you don't want to change or save.  After every mark, or group of similar marks, that you do want to save; I suggest adding:
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
so the mark gets set, saved, and then no longer modified. Plenty of other ways to do this, but I think you can get the basic idea? Using these 2 lines you can prevent further processing of marked packets at any point in the chain, and optionally save to the connection before hand.

- Jody

On 11/24/05, Salim <salim.si@xxxxxxxxxxxx> wrote:
I saw this snippet from
Daniel Chemko dchemko@xxxxxxxxxx
Mon, 31 May 2004 09:30:43 -0700
 
 
# Egress marking (mostly for QOS operations)
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
--set-mark 0x111
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
 
 
I want to mark many packets, including FTP.
 
So above these lines, I have a few more lines in my script. Like the following...
 
iptables -t mangle -A POSTROUTING  -p icmp -j MARK --set-mark 0x110
 
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
--set-mark 0x111
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
 
So, when an ICMP packet comes to the 2nd ('restore-mark') line, it is already marked with 0x110. Will the restore-mark mark the packet with 0 since there is no connmark set for ICMP? Or it will leave the packet untouched?
In that case, I can not redirect the ICMP packet to the class I defined for it.
What is the solution for this issue? What to do if I have different classification marks, some use connmark and some does not(just fw mark)?
 
regards
Salim


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux