From: Peter Warasin <peter@endian.com>
To: "Jörg Lübbert" <j.luebbert@login-lanstation.de>
Cc: netfilter@vger.kernel.org
Subject: Re: CONNMARK udp comprehension question
Date: Fri, 30 Nov 2007 17:50:33 +0100 [thread overview]
Message-ID: <47503F59.8040102@endian.com> (raw)
In-Reply-To: <474B7458.1090307@login-lanstation.de>
[-- Attachment #1: Type: text/plain, Size: 1768 bytes --]
Hi Jörg
Thanks for your answer. Much appreciated!
Jörg Lübbert wrote:
> This might help you without the need to mess with marks.
> For each uplink interface with an incremental $x
> alternatively use -j CONNMARK --restore-mark in -t mangle PREROUTING so
> that ip rules can match the mark or as a 3rd option use the ROUTE target.
Actually i have it already like you mentioned:
----------------------------
ip rule add from 192.168.75.0/24 lookup uplink-uplink1
ip route add default via 192.168.75.1 table uplink-uplink1
ip rule add from 192.168.69.0/24 lookup uplink-main
ip route add default via 192.168.69.1 table uplink-main
----------------------------
this should be ok for connections starting from the box, but seems that
is not for udp connections.
this works for connections passing through the box and also for tcp
connections
going to the box.
----------------------------
ip rule add prio 200 fwmark 0x20 lookup uplink-uplink1
ip rule add prio 200 fwmark 0x40 lookup uplink-main
-A PREROUTING -j INMARK -m state --state NEW
-A PREROUTING -j STOREMARK -m state ! --state NEW
-A INPUT -j INMARK -m state --state NEW
-A OUTPUT -j STOREMARK -m state ! --state NEW
-A INMARK -i eth3 -j CONNMARK --set-mark 0x20
-A INMARK -i eth4 -j CONNMARK --set-mark 0x40
-A STOREMARK -m connmark ! --mark 0x0 -j CONNMARK --restore-mark
----------------------------
but not for udp.
should'nt this work?
if i put in ulog rules i see that udp packets certainly will be
marked when coming in but don't have a mark when will going out.
just to know that i am not completely wrong.
peter
--
:: e n d i a n
:: open source - open minds
:: peter warasin
:: http://www.endian.com :: peter@endian.com
[-- Attachment #2: peter.vcf --]
[-- Type: text/x-vcard, Size: 279 bytes --]
begin:vcard
fn:Peter Warasin
n:;Peter Warasin
org:Endian GmbH/Srl
adr:;;Pillhof 47;Frangart/Frangarto;BZ;I-39010;Italien/Italia
email;internet:peter@endian.com
tel;work:+39 0471 631763
tel;fax:+39 0471 631764
x-mozilla-html:FALSE
url:http://www.endian.com
version:2.1
end:vcard
prev parent reply other threads:[~2007-11-30 16:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-26 20:28 CONNMARK udp comprehension question Peter Warasin
2007-11-26 21:02 ` Martijn Lievaart
2007-11-27 1:35 ` Jörg Lübbert
2007-11-30 16:50 ` Peter Warasin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47503F59.8040102@endian.com \
--to=peter@endian.com \
--cc=j.luebbert@login-lanstation.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox