Hi,
As far as I know,CONNMARK sets the mark value of the connection tracking entry, while MARK sets the mark value of the packet.
Omar Garcia wrote:
Hi list,
What`s the differences between these two groups of rules.????? In the first i use MARK --set-mark to mark packets and in the other i use CONNMARK --set-mark
1.
# iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
# iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
# iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 30
# iptables -I POSTROUTING -t mangle -m ipp2p --bit -j MARK --set-mark 30
# iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
>>>> Here u are changing the mark value of the packet while the mark value of the connection track entry remains the same. The mark value is applicable to the current packet.
2. # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j CONNMARK --set-mark 30 # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j CONNMARK --set-mark 30 # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
Here the mark value of the conntrack is changed, which is applied to the next packet ownwards.
Regards. Thanks
Enjoi, Vinod
