* CONNMARK & state RELATED
@ 2004-03-02 20:18 Daniel Chemko
2004-03-03 0:34 ` Philip Craig
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Chemko @ 2004-03-02 20:18 UTC (permalink / raw)
To: netfilter
Does anyone know if these two technologies are compatible?
I am using CONNMARK to do policy routing. I use it to select which WAN
interface the packet will leave the system. It seems that CONNMARK
doesn't mark related traffic. This makes it very hard to implement what
I am trying to do.
My rules are as follows:
${IPTABLES} -t mangle -A PREROUTING --source ${_fip} --destination
${_sip} -p ${_proto} -j CONNMARK --set-mark ${_fwmark} -m mark --mark 0
This rule is what I use to select which traffic goes through which
interface. Since state established can't be matched on what initially
evoked it (like saying "if this packet is established and was
established by FTP from X to Y").
In a NAT situation, how would I route FTP for example so that all the
related sessions are routed back to the same interface. I don't want a
broad rule that just matches all RELATED rules.
Any hints?
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: CONNMARK & state RELATED
2004-03-02 20:18 CONNMARK & state RELATED Daniel Chemko
@ 2004-03-03 0:34 ` Philip Craig
0 siblings, 0 replies; 2+ messages in thread
From: Philip Craig @ 2004-03-03 0:34 UTC (permalink / raw)
To: Daniel Chemko; +Cc: netfilter
Daniel Chemko wrote:
> Does anyone know if these two technologies are compatible?
Yes, they are compatible. RELATED connections inherit the conntrack
mark from the parent.
> I am using CONNMARK to do policy routing. I use it to select which WAN
> interface the packet will leave the system. It seems that CONNMARK
> doesn't mark related traffic. This makes it very hard to implement what
> I am trying to do.
>
> My rules are as follows:
>
> ${IPTABLES} -t mangle -A PREROUTING --source ${_fip} --destination
> ${_sip} -p ${_proto} -j CONNMARK --set-mark ${_fwmark} -m mark --mark 0
There are two types of marks. There is a conntrack mark, and there
is a packet mark.
The above rule only sets the conntrack mark. This conntrack mark
will automatically be set for related connections.
But if you want to do routing based on this mark, you have to copy
it into the packet mark for every packet in the connection:
${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --restore-mark
--
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-03-03 0:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-02 20:18 CONNMARK & state RELATED Daniel Chemko
2004-03-03 0:34 ` Philip Craig
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox