Hi, I haven't been following netfilter development for a while. My production boxes are Debian woody and thus do not have very current netfilter, but sometimes I snoop into later versions trying to see what's cooking. I am currently a little bit confused by the appearance of connmark. The mechanism looks suspiciously similiar to the normal packet mark mechanism, but is applied to entire connections. How do I use this? Is it like allowing and denying connections? Do I put a mark on the connection at the initial packet and the appropriate match will match on all packets bearing this connection mark? What will packets do that belong to a RELATED connection? Do they also have the connection mark of the main connection? Are there any docs, examples, best-current-practice descriptions about when to use packet marking and when connection marking? Additionally, I have always been very reluctant with marking since the numeric mark seems so prone to collide when packet marking is used for different purposes. I would like to hear how other people handle this, maybe even look at some rulesets using marking. Thanks for enlightening. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
