How to use mark and connmark in one rule

How to use mark and connmark in one rule

[Tino Keitel]

Hi folks,

when I try to use the mark and connmark extensions in one rule, I get
an error:

$ iptables -A INPUT -m mark --mark 1 -m connmark --mark 2
iptables v1.4.2: mark: "--mark" option may only be specified once

Is this intended? If not, is there a way to make this work with a stock
iptables, or do I have to patch the source and rename one of the
options?

Regards,

-- 
Tino Keitel
Software Engineer
 
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.921028-206
Fax: +49.30.921028-020
Rudower Chaussee 13
12489 Berlin / Germany
http://www.innominate.com/

Register Court: AG Charlottenburg, HRB 81603 Management Board: Dirk
Seewald, Chairman of the Supervisory Board: Volker Bibelhausen

Re: How to use mark and connmark in one rule

[Brian Austin - Standard Universal]

to do this would be faster than patching and etc..

iptables -A INPUT -m mark --mark 1 
iptables -A INPUT -m connmark --mark 2

regards

Brian


Tino Keitel wrote:
> Hi folks,
>
> when I try to use the mark and connmark extensions in one rule, I get
> an error:
>
> $ iptables -A INPUT -m mark --mark 1 -m connmark --mark 2
> iptables v1.4.2: mark: "--mark" option may only be specified once
>
> Is this intended? If not, is there a way to make this work with a stock
> iptables, or do I have to patch the source and rename one of the
> options?
>
> Regards,
>
>   

Re: How to use mark and connmark in one rule

[Brian Austin - Standard Universal]

that should be 2 separate lines.. stupid email

iptables -A INPUT -m mark --mark 1

iptables -A INPUT -m connmark --mark 2



Brian Austin - Standard Universal wrote:
> to do this would be faster than patching and etc..
>
> iptables -A INPUT -m mark --mark 1 iptables -A INPUT -m connmark --mark 2
>
> regards
>
> Brian
>
>
> Tino Keitel wrote:
>> Hi folks,
>>
>> when I try to use the mark and connmark extensions in one rule, I get
>> an error:
>>
>> $ iptables -A INPUT -m mark --mark 1 -m connmark --mark 2
>> iptables v1.4.2: mark: "--mark" option may only be specified once
>>
>> Is this intended? If not, is there a way to make this work with a stock
>> iptables, or do I have to patch the source and rename one of the
>> options?
>>
>> Regards,
>>
>>   
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to use mark and connmark in one rule

[Gáspár Lajos]

Hi!

Tino Keitel írta:
> $ iptables -A INPUT -m mark --mark 1 -m connmark --mark 2
> iptables v1.4.2: mark: "--mark" option may only be specified once
>
> Is this intended? If not, is there a way to make this work with a stock
> iptables, or do I have to patch the source and rename one of the
> options?
>   
If you want then rename one of the options...
The problem is that both connmark and mark have a --mark option...
But you may check the manual... :D --save-mark may be your friend...

Swifty

Re: How to use mark and connmark in one rule

[Tino Keitel]

On Fri, Apr 24, 2009 at 15:40:53 +0200, Gáspár Lajos wrote:
> Hi!
>
> Tino Keitel írta:
>> $ iptables -A INPUT -m mark --mark 1 -m connmark --mark 2
>> iptables v1.4.2: mark: "--mark" option may only be specified once
>>
>> Is this intended? If not, is there a way to make this work with a stock
>> iptables, or do I have to patch the source and rename one of the
>> options?
>>   
> If you want then rename one of the options...
> The problem is that both connmark and mark have a --mark option...

Yes, that's why I renamed the connmark parameter to --conmark to make
it work. But I want to be sure that I don't break something (except for
all scripts that use -m connmark --mark), or if there is a way to even
make this work without patching.

> But you may check the manual... :D --save-mark may be your friend...

Not in this case.

Regards,
Tino

Re: How to use mark and connmark in one rule

[Gáspár Lajos]

Tino Keitel írta:
>> If you want then rename one of the options...
>> The problem is that both connmark and mark have a --mark option...
>>     
>
> Yes, that's why I renamed the connmark parameter to --conmark to make
> it work. But I want to be sure that I don't break something (except for
> all scripts that use -m connmark --mark), or if there is a way to even
> make this work without patching.
>
>   
I think that you won't break anything... just those scripts...
>> But you may check the manual... :D --save-mark may be your friend...
>>     
>
> Not in this case.
>
>   
Why not?

Swifty

Re: How to use mark and connmark in one rule

[Pascal Hambourg]

Hello,

Gáspár Lajos a écrit :
> 
> Tino Keitel írta:
>> $ iptables -A INPUT -m mark --mark 1 -m connmark --mark 2
>> iptables v1.4.2: mark: "--mark" option may only be specified once
>>
>> Is this intended? If not, is there a way to make this work with a stock
>> iptables, or do I have to patch the source and rename one of the
>> options?
>>   
> If you want then rename one of the options...
> The problem is that both connmark and mark have a --mark option...

I just wonder why a match looks for options beyond the next -m which 
starts a new match.

Re: How to use mark and connmark in one rule

[Gáspár Lajos]

Pascal Hambourg írta:
>> The problem is that both connmark and mark have a --mark option...
>
> I just wonder why a match looks for options beyond the next -m which 
> starts a new match.
Maybe I am wrong, but as I know the iptables GIVES the options to the 
match...
So there is no command line parsing/looking for options by the match...

I think it is happens like this:
1. iptables checks the command line for matches and loads them,
2. every match registers its "extra_opts" in an internal table, (this 
time connmark and mark registers the same "mark" option.)
3. iptables checks the remaining command line options against the table.
4. if the option found in the table then the match will decide the 
option's fate (with the "parse" callback function).
The first registered match having "mark" option gets called every time a 
"mark" found in the command line.
And because this option is not allowed twice the match gives an error 
message.

Swifty

Re: How to use mark and connmark in one rule

[Pascal Hambourg]

Gáspár Lajos a écrit :
> 
> I think it is happens like this:
> 1. iptables checks the command line for matches and loads them,
> 2. every match registers its "extra_opts" in an internal table, (this 
> time connmark and mark registers the same "mark" option.)
> 3. iptables checks the remaining command line options against the table.
> 4. if the option found in the table then the match will decide the 
> option's fate (with the "parse" callback function).

Well, then I rephrase : why does iptables pass to the match options 
which are beyond the next -m ? It seems obvious to me that those options 
belong to the next matches. Is it an accepted practice to order matches 
and options randomly ? If yes, then non-exclusive matches should not be 
allowed to have the same options.

Re: How to use mark and connmark in one rule

[Tino Keitel]

On Fri, Apr 24, 2009 at 23:39:44 +1000, Brian Austin - Standard Universal wrote:
> that should be 2 separate lines.. stupid email
>
> iptables -A INPUT -m mark --mark 1
>
> iptables -A INPUT -m connmark --mark 2

I want to match packets with both a specific nfmark _and_ a specific
connmark, so I need both matches in one rule.

Regards,

-- 
Tino Keitel
Software Engineer
 
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.921028-206
Fax: +49.30.921028-020
Rudower Chaussee 13
12489 Berlin / Germany
http://www.innominate.com/

----------------------------------------------------------------
Visit us at the Hannover Messe in Germany
20 - 24 April 2009, Hall 9, Stand F54
----------------------------------------------------------------

Register Court: AG Charlottenburg, HRB 81603 Management Board: Dirk
Seewald, Chairman of the Supervisory Board: Volker Bibelhausen

INNOMINATE HAS MOVED. PLEASE NOTE THAT OUR BUSINESS CONTACT DATA HAS
CHANGED.

Re: How to use mark and connmark in one rule

[Tino Keitel]

On Fri, Apr 24, 2009 at 15:55:42 +0200, Gáspár Lajos wrote:
> Tino Keitel írta:
>>> If you want then rename one of the options...
>>> The problem is that both connmark and mark have a --mark option...
>>>     
>>
>> Yes, that's why I renamed the connmark parameter to --conmark to make
>> it work. But I want to be sure that I don't break something (except for
>> all scripts that use -m connmark --mark), or if there is a way to even
>> make this work without patching.
>>
>>   
> I think that you won't break anything... just those scripts...

Great, thanks.

Regards,

-- 
Tino Keitel
Software Engineer
 
Innominate Security Technologies AG
/protecting industrial networks/
Tel: +49.30.921028-206
Fax: +49.30.921028-020
Rudower Chaussee 13
12489 Berlin / Germany
http://www.innominate.com/

----------------------------------------------------------------
Visit us at the Hannover Messe in Germany
20 - 24 April 2009, Hall 9, Stand F54
----------------------------------------------------------------

Register Court: AG Charlottenburg, HRB 81603 Management Board: Dirk
Seewald, Chairman of the Supervisory Board: Volker Bibelhausen

INNOMINATE HAS MOVED. PLEASE NOTE THAT OUR BUSINESS CONTACT DATA HAS
CHANGED.

Re: How to use mark and connmark in one rule

[Pascal Hambourg]

Tino Keitel a écrit :
> On Fri, Apr 24, 2009 at 23:39:44 +1000, Brian Austin - Standard Universal wrote:
>>
>> iptables -A INPUT -m mark --mark 1
>> iptables -A INPUT -m connmark --mark 2
> 
> I want to match packets with both a specific nfmark _and_ a specific
> connmark, so I need both matches in one rule.

Not necessarily. For example with user-defined chains :

iptables -A INPUT -m mark --mark 1 -j mark1
iptables -A mark1 -m connmark --mark 2