Differences between -j MARK and -j CONNMARK

Differences between -j MARK and -j CONNMARK

[Omar Garcia]

Hi list,

What`s the differences between these two groups of rules.?????
In the first i use MARK --set-mark to mark packets and in the other i use CONNMARK --set-mark

1.
    # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
    # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
    # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 30
    # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j MARK --set-mark 30
    # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark

2.
    # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
    # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
    # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j CONNMARK --set-mark 30
    # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j CONNMARK --set-mark 30
    # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark


Regards.
Thanks

Re: Differences between -j MARK and -j CONNMARK

[Vinod Chandran]

Hi,

As far as I know,CONNMARK sets the mark value of the connection tracking 
entry, while MARK sets the mark value of the packet.

Omar Garcia wrote:

>Hi list,
>
>What`s the differences between these two groups of rules.?????
>In the first i use MARK --set-mark to mark packets and in the other i use CONNMARK --set-mark
>
>1.
>    # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
>    # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
>    # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 30
>    # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j MARK --set-mark 30
>    # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
> >>>> Here u are changing the mark value of the packet while the mark value of the connection track entry remains the same. The mark value is applicable to the current packet.
>  
>
   


>2.
>    # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
>    # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
>    # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j CONNMARK --set-mark 30
>    # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j CONNMARK --set-mark 30
>    # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
>
>>>>> Here the mark value of the conntrack is changed, which is applied to the next packet ownwards.
>  
>

>Regards.
>Thanks
>
>  
>
Enjoi,
Vinod

Re: Differences between -j MARK and -j CONNMARK

[Jason Opperisano]

On Fri, 2005-02-11 at 04:52, Omar Garcia wrote:
> Hi list,
> 
> What`s the differences between these two groups of rules.?????
> In the first i use MARK --set-mark to mark packets and in the other i use CONNMARK --set-mark
> 
> 1.
>     # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
>     # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
>     # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 30
>     # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j MARK --set-mark 30
>     # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
> 
> 2.
>     # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
>     # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
>     # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j CONNMARK --set-mark 30
>     # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j CONNMARK --set-mark 30
>     # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark

first off--i'm sure this is just your typed example, but you *do*
realize that using -I in every rule results in your rules ending up in
reverse order, right?  that is, your first group of commands will result
in the following rules:

  *mangle
  -A POSTROUTING -j CONNMARK --save-mark
  -A POSTROUTING -m ipp2p --bit -j MARK --set-mark 30
  -A POSTROUTING -m ipp2p --ipp2p -j MARK --set-mark 30
  -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
  -A POSTROUTING -j CONNMARK --restore-mark

which is most certainly *not* the order you want when using
--restore-mark and --save mark.

anyways--to your actual question--i have found that version 1; i.e using
-j MARK --set-mark instead of -j CONNMARK --set-mark, is more reliable. 
i have no idea why this is.  i have a feeling that the CONNMARK target
uses more intelligence to determine whether this packet should be marked
or not.  -j MARK --set-mark will just simply mark the packet; no fuss,
no muss, and then -j CONNMARK --save-mark will save it to the conntrack
table to be restored on the next packet in the connection--which is
exactly what you want.

-j

--
"Alright brain, you don't like me and I don't like you. But let's just
 get through this and then I can get back to killing you with beer."
	--The Simpsons

Re: Differences between -j MARK and -j CONNMARK

[Omar Garcia]

----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, February 11, 2005 1:40 PM
Subject: Re: Differences between -j MARK and -j CONNMARK
> 
> first off--i'm sure this is just your typed example, but you *do*
> realize that using -I in every rule results in your rules ending up in
> reverse order, right?  that is, your first group of commands will result
> in the following rules:
> 
>   *mangle
>   -A POSTROUTING -j CONNMARK --save-mark
>   -A POSTROUTING -m ipp2p --bit -j MARK --set-mark 30
>   -A POSTROUTING -m ipp2p --ipp2p -j MARK --set-mark 30
>   -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
>   -A POSTROUTING -j CONNMARK --restore-mark
> 
> which is most certainly *not* the order you want when using
> --restore-mark and --save mark.

Yes, of course. It was a mistake.
Thanks. 


> anyways--to your actual question--i have found that version 1; i.e using
> -j MARK --set-mark instead of -j CONNMARK --set-mark, is more reliable. 
> i have no idea why this is.  i have a feeling that the CONNMARK target
> uses more intelligence to determine whether this packet should be marked
> or not.  -j MARK --set-mark will just simply mark the packet; no fuss,
> no muss, and then -j CONNMARK --save-mark will save it to the conntrack
> table to be restored on the next packet in the connection--which is
> exactly what you want.

Thanks 



> 
> --
> "Alright brain, you don't like me and I don't like you. But let's just
>  get through this and then I can get back to killing you with beer."
> --The Simpsons
> 
> 
> 

Re: Differences between -j MARK and -j CONNMARK

[Ian! D. Allen]

> i have found that version 1; i.e using -j MARK --set-mark instead of
> -j CONNMARK --set-mark, is more reliable.  i have no idea why this is.

Here's why:

Version 1:
a) iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
b) iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
c) iptables -A POSTROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 30
d) iptables -A POSTROUTING -t mangle -m ipp2p --bit -j MARK --set-mark 30
e) iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark

Version 1 Explanation:
 a) copy the connection mark (may or may not be zero) to the packet mark
 b) if this packet now has a mark, accept it (and leave the chain)
 c+d) possibly set the packet mark using the ipp2p module
 e) copy the packet mark (may or may not be zero) to the connection mark

In other words, the above marks a packet and then copies the mark to
the connection mark.  That means *all* the packets are marked, even
the very first one.  Once a connection is marked, all further packets
inherit that mark.  This is what you want.

Version 2:
a) iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
b) iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
c) iptables -A POSTROUTING -t mangle -m ipp2p --ipp2p -j CONNMARK --set-mark 30
d) iptables -A POSTROUTING -t mangle -m ipp2p --bit -j CONNMARK --set-mark 30
e) iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark

Version 2 Explanation:
 a) copy the connection mark (may or may not be zero) to the packet mark
 b) if this packet now has a mark, accept it (and leave the chain)
 c+d) possibly set the connection mark using the ipp2p module
 e) copy the zero packet mark to the connection mark, overwriting the
    good work just done by c) and d) with zero [THIS IS BAD]

In other words, Method #2 doesn't work.  It never sets any new connection
marks.  The only time it might stagger along is if you happen to already
have some connection marks from some other rules - Method 2 will use
those existing connection marks to mark packets.  But it will never
create any new connection marks.

If you replace the last rule in either version with this one:

e) iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j CONNMARK --save-mark
   (only transfer the packet mark to the connection mark if it is not zero)

then you'll have a count of the number of *new* connection marks being
created.  You'll see that Version 2 always creates zero new marks...

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       EMail: idallen@idallen.ca   WWW: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/