CONNMARK versus MARK

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Another question, this time is about CONNMARK and MARK.

I stand that when CONNMARK put a mark, this mark will be applied for every
related traffic (I supose conntrack modules do it) after CONNMARK put the
mark. Am I in truth?

Analogous with MARK, that only applies to the frame. Is it?

Fine, using the above, when 1 client start TCP connection, that has not
any specific conntrack module for it, and I use something as this:

iptables -t mangle -A POSTROUTING ${condition} -m state --state NEW -j
CONNMARK --set-mark 0x1

Then:

iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -j
CONNMARK --save-mark
iptables -t mangle -A PREROUTING -m state --state RELATED,ESTABLISHED -m
connmark ! --mark 0x0 -j RETURN

Can I supose that when the connection is in state RELATED or ESTABLISHED
the core netfilter will automaticaly mark the response frame (ACK) with
the same mark? or I must be more accurate using MARK/mark?

Explain a bit the question:
   1) The frame should be TCP or UDP and is marked as 0x1 when go out from
(or forwading) the box.
   2) The frame is responsed (TCP with ACK or UDP with another frame to
the same source port).
   3) How netfilter will mark the connection if it has not handled by a
conntrack module? Will it mark the connection? or I have to control the
answered frame too?.

I'm a bit confuse with the iptables help/man text about this question:

MARK target v1.3.7 options:
  --set-mark value                   Set nfmark value
  --and-mark value                   Binary AND the nfmark with value
  --or-mark  value                   Binary OR  the nfmark with value

CONNMARK target v1.3.7 options:
  --set-mark value[/mask]       Set conntrack mark value
  --save-mark [--mask mask]     Save the packet nfmark in the connection
  --restore-mark [--mask mask]  Restore saved nfmark value

CONNMARK match v1.3.7 options:
[!] --mark value[/mask]         Match nfmark value with optional mask

MARK match v1.3.7 options:
[!] --mark value[/mask]         Match nfmark value with optional mask

And, sometimes, I think that there are two fields for the mark, one for
the whole connection and another for the frame.

Anyone more experienced could explain this a bit?

Thanks!!
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux