Re: Question about nfmark

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le mer 04/06/2003 à 20:01, Abhinav Gupta a écrit :
> I am a newbie to netfilter. While going through some code, I saw a 
> comment that nfmark can be used for communicating between the different 
> hooks. Could someone please explain me how this can be done.

Netfilter gives you the ability to mark packets using mangle table MARK
target (mangle table is attached to every hook in the stack). This mark,
commonly called nfmark (Netfilter mark) is a field within the data
structure that contains the packet (skb). This means once a packet is
marked, mark will be carried the whole packet life into the system.

Now, you have a mark match that allows you to read nfmark field. This
means in on given hook, you can extract information from another hook
though nfmark.

An example... Suppose you implement DNAT. This sits in PREROUTING chain.

	iptables -t nat -A PREROUTING -d $PUB_IP -j DNAT --to $PRIV_IP

How can I filter packets destined to $PUB_IP form those which were
destined to $PRIV_IP as they appear the same way into FORWARD chain ?
Use mark.

	iptables -t mangle -A PREROUTING -d $PRIV_IP -j MARK --mark 0x01

Then, in filter table, I do this :

	iptables -A FORWARD -m mark --mark 0x01 -j DROP

As I don't people access directly my private IP. Doing this, you get in
FORWARD chain information that would not be available otherwise.


Besides this, nfmark is more powerful than this as it allows Netfilter
to communicate with routing and QoS processes. This means you can take
routing or QoS decisions based on nfmark. Transparent proxying can be
done using nfmark (see http://lartc.org/), as well as QoS. This allows
you to use all Netfilter packet matching capabilities for routing and
shaping.

-- 
Cédric Blancher  <blancher@xxxxxxxxxxxxxxxxxx>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux