From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: MARK and CONNMARK
Date: Wed, 16 Jul 2008 10:09:47 -0500 [thread overview]
Message-ID: <487E0F3B.3070904@riverviewtech.net> (raw)
In-Reply-To: <200807161233.51463.vladislav.kurz@webstep.net>
On 07/16/08 05:33, Vladislav Kurz wrote:
> Ok, I can read this, but i just wonder what is the difference and how
> can I use connmark. Just marking connections for fun? What other use
> they are for?
The first thing that you need to realize about MARK is that it is only
good while the packets are in the kernel. This means that the mark is
only retained from the point the packet comes in an interface and goes
out an interface or goes out to a local process. Said another way is
when a packet comes in, gets marked and goes out and the reply comes
back in the mark is no longer there (because from the firewalls point of
view the reply is a completely different packet).
This is where CONNMARK comes in to play. CONNMARK is actually not used
to filter so much as it is used to remember a given packets mark across
different packets. To re-use the above analogy you would check to see
if there is a CONNMARK associated with a packet and if there is use it
to set the MARK. If the MARK has not been set (no stored CONNMARK) you
would set it your self. Before the packet leaves the system you would
store the MARK to the CONNMARK for later use.
Think of MARK as simple stateless filtering and CONNMARK as the state
that is stored across packets.
Does that help?
Grant. . . .
next prev parent reply other threads:[~2008-07-16 15:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-16 8:46 MARK and CONNMARK Vladislav Kurz
2008-07-16 9:57 ` Jan Engelhardt
2008-07-16 10:33 ` Vladislav Kurz
2008-07-16 10:49 ` Pablo Neira Ayuso
2008-07-16 11:05 ` Vladislav Kurz
2008-07-16 15:09 ` Grant Taylor [this message]
2008-07-17 6:56 ` Brian Austin
2008-07-17 7:17 ` Jan Engelhardt
2008-07-18 14:32 ` Brian
2008-07-18 15:08 ` Grant Taylor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=487E0F3B.3070904@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox