MARKing packets
Henrik Nordstrom
hno@marasystems.com
Fri, 23 Nov 2001 10:56:38 +0100
--------------Boundary-00=_EMZ8U8P4FSZV0RB7SH0P
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
You can do exacly this with my CONNMARK patch which have been posted here
countless number of times, and still waits for a vertict on if this patch can
be put into patch-o-matic or not...
Regards
Henrik Nordström
MARA Systems AB
Sweden
On Friday 23 November 2001 02.27, Nigel Kukard wrote:
> Hi,
>
> i was just wondering, is marking SYN packets persistent across all future
> packets... eg. if i mark the SYN packet of a connection, will all other
> packets in future associated with that connection carry the same mark
> value?
>
>
>
> TIA
> Nigel Kukard
--------------Boundary-00=_EMZ8U8P4FSZV0RB7SH0P
Content-Type: text/x-diff;
charset="iso-8859-1";
name="netfilter-CONNMARK.patch"
Content-Transfer-Encoding: 8bit
Content-Description: Netfiler connection marking
Content-Disposition: attachment; filename="netfilter-CONNMARK.patch"
Index: netfilter/userspace/extensions/.CONNMARK-test
===================================================================
RCS file: netfilter/userspace/extensions/.CONNMARK-test
diff -N netfilter/userspace/extensions/.CONNMARK-test
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/extensions/.CONNMARK-test 10 May 2001 06:55:49 -0000
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_CONNMARK.c ] && echo CONNMARK
Index: netfilter/userspace/extensions/.connmark-test
===================================================================
RCS file: netfilter/userspace/extensions/.connmark-test
diff -N netfilter/userspace/extensions/.connmark-test
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/extensions/.connmark-test 10 May 2001 06:55:49 -0000
@@ -0,0 +1,2 @@
+#! /bin/sh
+[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_connmark.c ] && echo connmark
Index: netfilter/userspace/extensions/libipt_CONNMARK.c
===================================================================
RCS file: netfilter/userspace/extensions/libipt_CONNMARK.c
diff -N netfilter/userspace/extensions/libipt_CONNMARK.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/extensions/libipt_CONNMARK.c 10 May 2001 06:55:50 -0000
@@ -0,0 +1,167 @@
+/* Shared library add-on to iptables to add CONNMARK target support. */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
+
+#if 0
+struct markinfo {
+ struct ipt_entry_target t;
+ struct ipt_connmark_target_info mark;
+};
+#endif
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"CONNMARK target v%s options:\n"
+" --set-mark value Set conntrack mark value\n"
+" --save-mark Save the packet nfmark on the connection\n"
+" --restore-mark Restore saved nfmark value\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "set-mark", 1, 0, '1' },
+ { "save-mark", 0, 0, '2' },
+ { "restore-mark", 0, 0, '3' },
+ { 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ipt_entry_target *t, unsigned int *nfcache)
+{
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ struct ipt_entry_target **target)
+{
+ struct ipt_connmark_target_info *markinfo
+ = (struct ipt_connmark_target_info *)(*target)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ markinfo->mode = IPT_CONNMARK_SET;
+ markinfo->mark = strtoul(optarg, &end, 0);
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (*flags)
+ exit_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Can't specify --set-mark twice");
+ *flags = 1;
+ break;
+ case '2':
+ markinfo->mode = IPT_CONNMARK_SAVE;
+ if (*flags)
+ exit_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Can't specify --save-mark twice");
+ *flags = 1;
+ break;
+ case '3':
+ markinfo->mode = IPT_CONNMARK_RESTORE;
+ if (*flags)
+ exit_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Can't specify --restore-mark twice");
+ *flags = 1;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "CONNMARK target: Parameter --set-mark is required");
+}
+
+static void
+print_mark(unsigned long mark, int numeric)
+{
+ printf("0x%lx ", mark);
+}
+
+/* Prints out the targinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_target *target,
+ int numeric)
+{
+ const struct ipt_connmark_target_info *markinfo =
+ (const struct ipt_connmark_target_info *)target->data;
+ switch (markinfo->mode) {
+ case IPT_CONNMARK_SET:
+ printf("CONNMARK set ");
+ print_mark(markinfo->mark, numeric);
+ break;
+ case IPT_CONNMARK_SAVE:
+ printf("CONNMARK save ");
+ break;
+ case IPT_CONNMARK_RESTORE:
+ printf("CONNMARK restore ");
+ break;
+ default:
+ printf("ERROR: UNKNOWN CONNMARK MODE ");
+ break;
+ }
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
+{
+ const struct ipt_connmark_target_info *markinfo =
+ (const struct ipt_connmark_target_info *)target->data;
+
+ switch (markinfo->mode) {
+ case IPT_CONNMARK_SET:
+ printf("--set-mark 0x%lx ", markinfo->mark);
+ break;
+ case IPT_CONNMARK_SAVE:
+ printf("--save-mark ");
+ break;
+ case IPT_CONNMARK_RESTORE:
+ printf("--restore-mark ");
+ break;
+ default:
+ printf("ERROR: UNKNOWN CONNMARK MODE ");
+ break;
+ }
+}
+
+struct iptables_target mark
+= { NULL,
+ "CONNMARK",
+ NETFILTER_VERSION,
+ IPT_ALIGN(sizeof(struct ipt_connmark_target_info)),
+ IPT_ALIGN(sizeof(struct ipt_connmark_target_info)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void _init(void)
+{
+ register_target(&mark);
+}
Index: netfilter/userspace/extensions/libipt_connmark.c
===================================================================
RCS file: netfilter/userspace/extensions/libipt_connmark.c
diff -N netfilter/userspace/extensions/libipt_connmark.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/extensions/libipt_connmark.c 10 May 2001 06:55:50 -0000
@@ -0,0 +1,129 @@
+/* Shared library add-on to iptables to add CONNMARK matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <iptables.h>
+#include <linux/netfilter_ipv4/ipt_connmark.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+ printf(
+"CONNMARK match v%s options:\n"
+"[!] --mark value[/mask] Match nfmark value with optional mask\n"
+"\n",
+NETFILTER_VERSION);
+}
+
+static struct option opts[] = {
+ { "mark", 1, 0, '1' },
+ {0}
+};
+
+/* Initialize the match. */
+static void
+init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+ /* Can't cache this. */
+ *nfcache |= NFC_UNKNOWN;
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry,
+ unsigned int *nfcache,
+ struct ipt_entry_match **match)
+{
+ struct ipt_connmark_info *markinfo = (struct ipt_connmark_info *)(*match)->data;
+
+ switch (c) {
+ char *end;
+ case '1':
+ if (check_inverse(optarg, &invert))
+ optind++;
+ markinfo->mark = strtoul(optarg, &end, 0);
+ if (*end == '/') {
+ markinfo->mask = strtoul(end+1, &end, 0);
+ } else
+ markinfo->mask = 0xffffffff;
+ if (*end != '\0' || end == optarg)
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (invert)
+ markinfo->invert = 1;
+ *flags = 1;
+ break;
+
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void
+print_mark(unsigned long mark, unsigned long mask, int invert, int numeric)
+{
+ if (invert)
+ fputc('!', stdout);
+
+ if(mask != 0xffffffff)
+ printf("0x%lx/0x%lx ", mark, mask);
+ else
+ printf("0x%lx ", mark);
+}
+
+/* Final check; must have specified --mark. */
+static void
+final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "MARK match: You must specify `--mark'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+ int numeric)
+{
+ printf("CONNMARK match ");
+ print_mark(((struct ipt_connmark_info *)match->data)->mark,
+ ((struct ipt_connmark_info *)match->data)->mask,
+ ((struct ipt_connmark_info *)match->data)->invert, numeric);
+}
+
+/* Saves the union ipt_matchinfo in parsable form to stdout. */
+static void
+save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
+{
+ printf("--mark ");
+ print_mark(((struct ipt_connmark_info *)match->data)->mark,
+ ((struct ipt_connmark_info *)match->data)->mask,
+ ((struct ipt_connmark_info *)match->data)->invert, 0);
+}
+
+struct iptables_match mark
+= { NULL,
+ "connmark",
+ NETFILTER_VERSION,
+ IPT_ALIGN(sizeof(struct ipt_connmark_info)),
+ IPT_ALIGN(sizeof(struct ipt_connmark_info)),
+ &help,
+ &init,
+ &parse,
+ &final_check,
+ &print,
+ &save,
+ opts
+};
+
+void _init(void)
+{
+ register_match(&mark);
+}
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch 10 May 2001 06:55:50 -0000
@@ -0,0 +1,220 @@
+diff -uN linux-2.4.3-pre3/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ip_conntrack.h
+--- linux-2.4.3-pre3/include/linux/netfilter_ipv4/ip_conntrack.h Fri Mar 9 21:43:28 2001
++++ linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ip_conntrack.h Wed Mar 21 13:20:37 2001
+@@ -147,6 +147,9 @@
+ } nat;
+ #endif /* CONFIG_IP_NF_NAT_NEEDED */
+
++#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
++ unsigned long mark;
++#endif
+ };
+
+ /* Alter reply tuple (maybe alter helper). If it's already taken,
+diff -uN --exclude .* --exclude *.o linux-2.4.3-pre3/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.3-pre3-uml/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- linux-2.4.3-pre3/net/ipv4/netfilter/ip_conntrack_standalone.c Thu Aug 10 21:35:15 2000
++++ linux-2.4.3-pre3-uml/net/ipv4/netfilter/ip_conntrack_standalone.c Wed Mar 21 13:04:19 2001
+@@ -92,6 +92,9 @@
+ len += sprintf(buffer + len, "[UNCONFIRMED] ");
+ len += sprintf(buffer + len, "use=%u ",
+ atomic_read(&conntrack->ct_general.use));
++#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
++ len += sprintf(buffer + len, "mark=%d ", conntrack->mark);
++#endif
+ len += sprintf(buffer + len, "\n");
+
+ return len;
+--- linux-2.4.4-pre1-hno/net/ipv4/netfilter/ip_conntrack_core.c Tue Apr 10 22:33:21 2001
++++ linux-2.4.4-pre1-uml/net/ipv4/netfilter/ip_conntrack_core.c Mon Apr 16 00:23:00 2001
+@@ -523,6 +523,9 @@
+ conntrack->status = IPS_EXPECTED;
+ conntrack->master.master = &expected->expectant->ct_general;
+ IP_NF_ASSERT(conntrack->master.master);
++#if CONFIG_IP_NF_CONNTRACK_MARK
++ conntrack->mark = expected->expectant->mark;
++#endif
+ LIST_DELETE(&expect_list, expected);
+ expected->expectant = NULL;
+ nf_conntrack_get(&conntrack->master);
+diff -uN linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_connmark.h
+--- linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_connmark.h Thu Jan 1 01:00:00 1970
++++ linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_connmark.h Wed Mar 21 11:38:46 2001
+@@ -0,0 +1,9 @@
++#ifndef _IPT_CONNMARK_H
++#define _IPT_CONNMARK_H
++
++struct ipt_connmark_info {
++ unsigned long mark, mask;
++ u_int8_t invert;
++};
++
++#endif /*_IPT_CONNMARK_H*/
+diff -uN --exclude .* --exclude *.o linux-2.4.3-pre3/net/ipv4/netfilter/ipt_connmark.c linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_connmark.c
+--- linux-2.4.3-pre3/net/ipv4/netfilter/ipt_connmark.c Thu Jan 1 01:00:00 1970
++++ linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_connmark.c Wed Mar 21 13:23:33 2001
+@@ -0,0 +1,55 @@
++/* Kernel module to match connection mark values. */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_connmark.h>
++#include <linux/netfilter_ipv4/ip_conntrack.h>
++
++static int
++match(const struct sk_buff *skb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ const void *hdr,
++ u_int16_t datalen,
++ int *hotdrop)
++{
++ const struct ipt_connmark_info *info = matchinfo;
++ enum ip_conntrack_info ctinfo;
++ struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
++ if (!ct)
++ return 0;
++
++ return ((ct->mark & info->mask) == info->mark) ^ info->invert;
++}
++
++static int
++checkentry(const char *tablename,
++ const struct ipt_ip *ip,
++ void *matchinfo,
++ unsigned int matchsize,
++ unsigned int hook_mask)
++{
++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
++ return 0;
++
++ return 1;
++}
++
++static struct ipt_match connmark_match
++= { { NULL, NULL }, "connmark", &match, &checkentry, NULL, THIS_MODULE };
++
++static int __init init(void)
++{
++ return ipt_register_match(&connmark_match);
++}
++
++static void __exit fini(void)
++{
++ ipt_unregister_match(&connmark_match);
++}
++
++module_init(init);
++module_exit(fini);
+diff -uN linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_CONNMARK.h
+--- linux-2.4.3-pre3/include/linux/netfilter_ipv4/ipt_CONNMARK.h Thu Jan 1 01:00:00 1970
++++ linux-2.4.3-pre3-uml/include/linux/netfilter_ipv4/ipt_CONNMARK.h Wed Mar 21 12:25:20 2001
+@@ -0,0 +1,15 @@
++#ifndef _IPT_CONNMARK_H_target
++#define _IPT_CONNMARK_H_target
++
++enum {
++ IPT_CONNMARK_SET = 0,
++ IPT_CONNMARK_SAVE,
++ IPT_CONNMARK_RESTORE
++};
++
++struct ipt_connmark_target_info {
++ unsigned long mark;
++ u_int8_t mode;
++};
++
++#endif /*_IPT_CONNMARK_H_target*/
+diff -uN --exclude .* --exclude *.o linux-2.4.3-pre3/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_CONNMARK.c
+--- linux-2.4.3-pre3/net/ipv4/netfilter/ipt_CONNMARK.c Thu Jan 1 01:00:00 1970
++++ linux-2.4.3-pre3-uml/net/ipv4/netfilter/ipt_CONNMARK.c Wed May 20 17:49:10 2001
+@@ -0,0 +1,87 @@
++/* This is a module which is used for setting/remembering the mark field of
++ * an connection, or optionally restore it to the skb
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <net/checksum.h>
++
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
++#include <linux/netfilter_ipv4/ip_conntrack.h>
++
++static unsigned int
++target(struct sk_buff **pskb,
++ unsigned int hooknum,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *targinfo,
++ void *userinfo)
++{
++ const struct ipt_connmark_target_info *markinfo = targinfo;
++
++ enum ip_conntrack_info ctinfo;
++ struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
++ if (ct) {
++ switch(markinfo->mode) {
++ case IPT_CONNMARK_SET:
++ ct->mark = markinfo->mark;
++ break;
++ case IPT_CONNMARK_SAVE:
++ ct->mark = (*pskb)->nfmark;
++ break;
++ case IPT_CONNMARK_RESTORE:
++ if (ct->mark != (*pskb)->nfmark) {
++ (*pskb)->nfmark = ct->mark;
++ (*pskb)->nfcache |= NFC_ALTERED;
++ }
++ break;
++ }
++ }
++
++ return IPT_CONTINUE;
++}
++
++static int
++checkentry(const char *tablename,
++ const struct ipt_entry *e,
++ void *targinfo,
++ unsigned int targinfosize,
++ unsigned int hook_mask)
++{
++ struct ipt_connmark_target_info *matchinfo = targinfo;
++ if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
++ printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
++ targinfosize,
++ IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
++ return 0;
++ }
++
++ if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
++ if (strcmp(tablename, "mangle") != 0) {
++ printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
++ return 0;
++ }
++ }
++
++ return 1;
++}
++
++static struct ipt_target ipt_connmark_reg
++= { { NULL, NULL }, "CONNMARK", target, checkentry, NULL, THIS_MODULE };
++
++static int __init init(void)
++{
++ if (ipt_register_target(&ipt_connmark_reg))
++ return -EINVAL;
++
++ return 0;
++}
++
++static void __exit fini(void)
++{
++ ipt_unregister_target(&ipt_connmark_reg);
++}
++
++module_init(init);
++module_exit(fini);
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in 10 May 2001 06:55:50 -0000
@@ -0,0 +1,2 @@
+ dep_tristate ' FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
+ bool ' Connection mark tracking support' CONFIG_IP_NF_CONNTRACK_MARK
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-2
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-2
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-2
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-2 10 May 2001 06:55:50 -0000
@@ -0,0 +1,4 @@
+ dep_tristate ' LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
+ if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
+ dep_tristate ' CONNMARK target support' CONFIG_IP_NF_TARGET_CONNMARK $CONFIG_IP_NF_IPTABLES
+ fi
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-3
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-3
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-3
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch.config.in-3 10 May 2001 06:55:50 -0000
@@ -0,0 +1,4 @@
+ dep_tristate ' Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
+ if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
+ dep_tristate ' Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
+ fi
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch.configure.help
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch.configure.help
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch.configure.help
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch.configure.help 10 May 2001 06:55:50 -0000
@@ -0,0 +1,22 @@
+CONFIG_IP_NF_FTP
+Per connection mark support
+CONFIG_IP_NF_CONNTRACK_MARK
+ This option enables support for connection marks, used by the
+ `CONNMARK' target and `connmark' match. Similar to the mark value
+ of packets, but this mark value is kept in the conntrack session
+ instead of the individual packets.
+
+CONNMARK target support
+CONFIG_IP_NF_TARGET_CONNMARK
+ This option adds a `CONNMARK' target, which allows one to manipulate
+ the connection mark value. Similar to the MARK target, but
+ affects the connection mark value rather than the packet mark value.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. The module will be called
+ ipt_CONNMARK.o. If unsure, say `N'.
+
+connmark match support
+CONFIP_IP_NF_MATCH_CONNMARK
+ This option adds a `connmark' match, which allows you to match the
+ connection mark value previously set for the session by `CONNMARK'.
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch.help
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch.help
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch.help
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch.help 10 May 2001 06:55:50 -0000
@@ -0,0 +1,35 @@
+Author: Henrik Nordstrom <hno@marasystems.com>
+Status: working
+
+This patch adds per connection marks, and a target (CONNMARK)
+respective a match (connmark) for using these.
+
+Usage:
+
+ connmark
+ This module matches the netfilter mark field associated
+ with a connection (which can be set using the CONNMARK
+ target below).
+
+ --mark value[/mask]
+ Matches packets in connections with the given
+ unsigned mark value (if a mask is specified, this
+ is logically ANDed with the mark before the compar
+ ison).
+
+
+ CONNMARK
+ This is used to set the netfilter mark value associated
+ with the connection
+
+ --set-mark mark
+ Set connection mark
+
+ --save-mark
+ Set connection mark to the same as the one on the
+ packet
+
+ --restore-mark
+ Set the netfilter packet mark value to the one
+ associated with the connection. This is only valid
+ in the mangle table.
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile 10 May 2001 06:55:50 -0000
@@ -0,0 +1,2 @@
+obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
Index: netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile-2
===================================================================
RCS file: netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile-2
diff -N netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile-2
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ netfilter/userspace/patch-o-matic/CONNMARK.patch.makefile-2 10 May 2001 06:55:50 -0000
@@ -0,0 +1,2 @@
+obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
--------------Boundary-00=_EMZ8U8P4FSZV0RB7SH0P--