From: Andy Furniss <andy.furniss@dsl.pipex.com>
To: Martin Josefsson <gandalf@wlug.westbo.se>
Cc: jamal <hadi@cyberus.ca>, netdev@oss.sgi.com
Subject: Re: IMQ / new Dummy device post.
Date: Sun, 18 Apr 2004 22:58:33 +0100 [thread overview]
Message-ID: <4082FA09.2040404@dsl.pipex.com> (raw)
In-Reply-To: <1082323432.13261.397.camel@tux.rsn.bth.se>
Martin Josefsson wrote:
> On Sun, 2004-04-18 at 22:53, jamal wrote:
>
>>On Sun, 2004-04-18 at 12:35, Andy Furniss wrote:
>>
>>
>>>Connmark is a netfilter patch which is required by the type of P2P
>>>limiting/marking projects on sf.net that could mark bittorrent traffic.
>>
>>just from the sounds of it, appears it may be able to mark a group of
>>related flows with the same fwmark.
>
>
> connmark is like nfmark but it marks the connection-entry in
> ip_conntrack instead. And then you can "restore" that mark to the nfmark
> of the packet at any time you want with filter rules.
>
>
>>>will be OK with connbytes sometime. I don't really know how to use it,
>>>but if it is possible to mark egress connections in output and have
>>>connmark match their incoming packets that would be a solution. I
>>>haven't got a clue if connmark can do this, though, just speculating.
>>>
>>>Does anyone else know, and why it's not compatable with connbytes?
>>>
>>
>>some of the netfilter people should be able to help.
>
>
> with connmark you mark the connection, and then you can "restore" that
> mark to packets in either direction in the mangle table of iptables.
>
> connmark isn't incompatible with connbytes. It's just that both patches
> modify the same part of the code, a struct, and the patch program can't
> handle that. You'll have to fix some rejects by hand, that's it.
>
Thanks for that - though I hope not to have to use it now, just to
confirm - does it work in all of the 5 mangle tables or more
specifically could I mark every connection from local processes in
output and restore the marks in prerouting?
Andy.
next prev parent reply other threads:[~2004-04-18 21:58 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-15 9:42 IMQ / new Dummy device post Andy Furniss
2004-04-15 12:15 ` jamal
2004-04-15 19:35 ` Andy Furniss
2004-04-16 3:52 ` jamal
2004-04-16 19:35 ` Andy Furniss
[not found] ` <1082145341.1026.125.camel@jzny.localdomain>
2004-04-17 10:39 ` Andy Furniss
2004-04-17 12:09 ` jamal
2004-04-17 21:56 ` Andy Furniss
2004-04-18 14:28 ` jamal
2004-04-18 16:35 ` Andy Furniss
2004-04-18 20:34 ` Andy Furniss
2004-04-18 21:07 ` jamal
2004-04-18 21:31 ` Andy Furniss
2004-04-18 21:45 ` Andy Furniss
2004-04-18 20:53 ` jamal
2004-04-18 21:23 ` Martin Josefsson
2004-04-18 21:58 ` Andy Furniss [this message]
2004-04-19 8:14 ` Martin Josefsson
2004-04-19 12:33 ` syrius.ml
-- strict thread matches above, loose matches on Subject: below --
2004-04-19 14:22 syrius.ml
2004-04-20 2:15 ` jamal
2004-04-21 1:43 ` syrius.ml
2004-04-21 12:49 ` syrius.ml
2004-04-21 20:19 ` syrius.ml
2004-04-22 13:16 ` jamal
2004-04-22 17:43 ` syrius.ml
2004-04-23 11:29 ` jamal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4082FA09.2040404@dsl.pipex.com \
--to=andy.furniss@dsl.pipex.com \
--cc=gandalf@wlug.westbo.se \
--cc=hadi@cyberus.ca \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).