Re: [PATCH 0/3][RFC] Relationship between conntrack and firewall rules

[Pablo Neira Ayuso <pablo@netfilter.org>]

On 21/01/11 12:13, Richard Weinberger wrote:
> Am Freitag 21 Januar 2011, 11:00:48 schrieb Pablo Neira Ayuso:
>> On 21/01/11 00:02, Richard Weinberger wrote:
>>> Am Donnerstag 20 Januar 2011, 23:52:25 schrieb Jan Engelhardt:
>>>> On Thursday 2011-01-20 23:47, Richard Weinberger wrote:
>>>>> Hi,
>>>>>
>>>>> as a firewall admin I would like to see which rules allow
>>>>> the connections through my firewall.
>>>>> A relationship between conntrack and firewall rules would be nice.
>>>>> The next five patches bring this feature to the Linux Netfilter.
>>>>>
>>>>> First a small example.
>>>>> Consider this iptables rules:
>>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j APPROVE --rule-id 1
>>>>> -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j APPROVE --rule-id
>>>>> 2 -A INPUT -p tcp --dport 22 -m state --state NEW -j APPROVE --rule-id
>>>>> 3 -A INPUT -p icmp -m state --state NEW -j APPROVE --rule-id 4
>>>>>
>>>>> The APPROVE target is the same as ACCEPT but it stores also a rule id
>>>>> into the connection tracking entry.
>>>>
>>>> What about connmark? You could have used that. Perhaps combined with the
>>>> use of -j TRACE that can show which rules were processed before a
>>>> verdict was issued.
>>>
>>> Yeah, I know commark and TRACE but they are quite clumsy to use for such
>>> a purpose.
>>
>> Why are the clumsy for this purpose?
> 
> Because I would need more than one iptables command to model a firewall rule.
> Or can you show me a simple iptables configuration using connmark which 
> achieves the same as my APPROVE example above?

Just a couple of extra rules to restore and save the connmark. Right?