* CONNMARK and state RELATED
@ 2004-03-03 0:53 Daniel Chemko
2004-03-03 7:04 ` Eric Leblond
2004-03-03 7:39 ` Henrik Nordstrom
0 siblings, 2 replies; 3+ messages in thread
From: Daniel Chemko @ 2004-03-03 0:53 UTC (permalink / raw)
To: Netfilter developmnet mailing list
Does anyone know if these two technologies are compatible?
I am using CONNMARK to do policy routing. I use it to select which WAN
interface the packet will leave the system. It seems that CONNMARK
doesn't mark related traffic. This makes it very hard to implement what
I am trying to do.
My rules are as follows:
${IPTABLES} -t mangle -A PREROUTING --source ${_fip} --destination
${_sip} -p ${_proto} -j CONNMARK --set-mark ${_fwmark} -m mark --mark 0
This rule is what I use to select which traffic goes through which
interface. Since state established can't be matched on what initially
evoked it (like saying "if this packet is established and was
established by FTP from X to Y").
In a NAT situation, how would I route FTP for example so that all the
related sessions are routed back to the same interface. I don't want a
broad rule that just matches all RELATED rules.
Any hints?
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: CONNMARK and state RELATED
2004-03-03 0:53 CONNMARK and state RELATED Daniel Chemko
@ 2004-03-03 7:04 ` Eric Leblond
2004-03-03 7:39 ` Henrik Nordstrom
1 sibling, 0 replies; 3+ messages in thread
From: Eric Leblond @ 2004-03-03 7:04 UTC (permalink / raw)
To: Daniel Chemko; +Cc: Netfilter developmnet mailing list
Le mer 03/03/2004 à 01:53, Daniel Chemko a écrit :
> Does anyone know if these two technologies are compatible?
I think so, I've deployed this to do the same as you and it works fine
(even with FTP)
> My rules are as follows:
> ${IPTABLES} -t mangle -A PREROUTING --source ${_fip} --destination
> ${_sip} -p ${_proto} -j CONNMARK --set-mark ${_fwmark} -m mark --mark 0
>
Have you try as show at :
http://hom.regit.org/connmark.html
(You need to restore the mark.)
BR,
--
Eric Leblond
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: CONNMARK and state RELATED
2004-03-03 0:53 CONNMARK and state RELATED Daniel Chemko
2004-03-03 7:04 ` Eric Leblond
@ 2004-03-03 7:39 ` Henrik Nordstrom
1 sibling, 0 replies; 3+ messages in thread
From: Henrik Nordstrom @ 2004-03-03 7:39 UTC (permalink / raw)
To: Daniel Chemko; +Cc: Netfilter developmnet mailing list
On Tue, 2 Mar 2004, Daniel Chemko wrote:
> I am using CONNMARK to do policy routing. I use it to select which WAN
> interface the packet will leave the system. It seems that CONNMARK
> doesn't mark related traffic. This makes it very hard to implement what
> I am trying to do.
It does, but you must remember to have the connmark restored into the
packet if you want to use it for routing, this is not automatic. Applies
to both normal and related traffic.
> ${IPTABLES} -t mangle -A PREROUTING --source ${_fip} --destination
> ${_sip} -p ${_proto} -j CONNMARK --set-mark ${_fwmark} -m mark --mark 0
This rule only sets the connmark value, not the per-packet packet mark.
Regards
Henrik
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-03-03 7:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-03 0:53 CONNMARK and state RELATED Daniel Chemko
2004-03-03 7:04 ` Eric Leblond
2004-03-03 7:39 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.