Re: Differences between -j MARK and -j CONNMARK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> i have found that version 1; i.e using -j MARK --set-mark instead of
> -j CONNMARK --set-mark, is more reliable.  i have no idea why this is.

Here's why:

Version 1:
a) iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
b) iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
c) iptables -A POSTROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 30
d) iptables -A POSTROUTING -t mangle -m ipp2p --bit -j MARK --set-mark 30
e) iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark

Version 1 Explanation:
 a) copy the connection mark (may or may not be zero) to the packet mark
 b) if this packet now has a mark, accept it (and leave the chain)
 c+d) possibly set the packet mark using the ipp2p module
 e) copy the packet mark (may or may not be zero) to the connection mark

In other words, the above marks a packet and then copies the mark to
the connection mark.  That means *all* the packets are marked, even
the very first one.  Once a connection is marked, all further packets
inherit that mark.  This is what you want.

Version 2:
a) iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
b) iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
c) iptables -A POSTROUTING -t mangle -m ipp2p --ipp2p -j CONNMARK --set-mark 30
d) iptables -A POSTROUTING -t mangle -m ipp2p --bit -j CONNMARK --set-mark 30
e) iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark

Version 2 Explanation:
 a) copy the connection mark (may or may not be zero) to the packet mark
 b) if this packet now has a mark, accept it (and leave the chain)
 c+d) possibly set the connection mark using the ipp2p module
 e) copy the zero packet mark to the connection mark, overwriting the
    good work just done by c) and d) with zero [THIS IS BAD]

In other words, Method #2 doesn't work.  It never sets any new connection
marks.  The only time it might stagger along is if you happen to already
have some connection marks from some other rules - Method 2 will use
those existing connection marks to mark packets.  But it will never
create any new connection marks.

If you replace the last rule in either version with this one:

e) iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j CONNMARK --save-mark
   (only transfer the packet mark to the connection mark if it is not zero)

then you'll have a count of the number of *new* connection marks being
created.  You'll see that Version 2 always creates zero new marks...

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       EMail: idallen@xxxxxxxxxx   WWW: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux