Re: CONNMARK & state RELATED

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: Daniel Chemko <dchemko@smgtec.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: CONNMARK & state RELATED
Date: Wed, 03 Mar 2004 10:34:45 +1000	[thread overview]
Message-ID: <40452825.8020705@snapgear.com> (raw)
In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF5122F03@alderaan.smgtec.com>

Daniel Chemko wrote:
> Does anyone know if these two technologies are compatible?

Yes, they are compatible.  RELATED connections inherit the conntrack
mark from the parent.

> I am using CONNMARK to do policy routing. I use it to select which WAN
> interface the packet will leave the system. It seems that CONNMARK
> doesn't mark related traffic. This makes it very hard to implement what
> I am trying to do.
> 
> My rules are as follows:
> 
> ${IPTABLES} -t mangle -A PREROUTING --source ${_fip} --destination
> ${_sip} -p ${_proto} -j CONNMARK --set-mark ${_fwmark} -m mark --mark 0

There are two types of marks.  There is a conntrack mark, and there
is a packet mark.

The above rule only sets the conntrack mark.  This conntrack mark
will automatically be set for related connections.

But if you want to do routing based on this mark, you have to copy
it into the packet mark for every packet in the connection:

${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --restore-mark

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

     prev parent reply	other threads:[~2004-03-03  0:34 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-02 20:18 CONNMARK & state RELATED Daniel Chemko
2004-03-03  0:34 ` Philip Craig [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40452825.8020705@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=dchemko@smgtec.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox