From mboxrd@z Thu Jan 1 00:00:00 1970 From: Carl-Daniel Hailfinger Subject: Re: ip_conntrack_tuple and marks Date: Sun, 24 Sep 2006 19:57:30 +0200 Message-ID: <4516C70A.3050502@gmx.net> References: <451448A9.6000407@gmx.net> <4515F7F8.9030000@netfilter.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Netfilter Development Mailinglist Return-path: To: Pablo Neira Ayuso In-Reply-To: <4515F7F8.9030000@netfilter.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Pablo Neira Ayuso wrote: > Carl-Daniel Hailfinger wrote: >> >> is it possible to add a nfmark field to ip_conntrack_tuple >> so that only packets with a certain mark set are matched to >> a connection? I'm trying to filter/nat multiple independent >> connections with same ip/proto/port tuples on both sides >> and the only distinguishing property of the different >> connections is their nfmark. Using NOTRACK doesn't help >> because it can only exclude packets from tracking, not >> match packets to different expectations. > > Could the connmark match/target be what you need? Unfortunately, connmark does exactly the opposite of what I'm trying to achieve. connmark: get/set fwmark based on flow my problem: handle different flows with identical srcip/dstip/sport/dport/proto tuples where the only difference is the packet fwmark Example (what I hope to get working) SYN packet from 10.0.0.1:1024->10.0.0.2:80 fwmark 1 creates one connection. SYN packet from 10.0.0.1:1024->10.0.0.2:80 fwmark 2 creates another connection independent of the first. Current netfilter code considers both packets to belong to the same connection. Regards, Carl-Daniel