Differences between -j MARK and -j CONNMARK
Vinod Chandran
vinod_chandran at multitech.co.in
Fri Feb 11 11:05:36 CET 2005
Hi,
As far as I know,CONNMARK sets the mark value of the connection tracking
entry, while MARK sets the mark value of the packet.
Omar Garcia wrote:
>Hi list,
>
>What`s the differences between these two groups of rules.?????
>In the first i use MARK --set-mark to mark packets and in the other i use CONNMARK --set-mark
>
>1.
> # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
> # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
> # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j MARK --set-mark 30
> # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j MARK --set-mark 30
> # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
> >>>> Here u are changing the mark value of the packet while the mark value of the connection track entry remains the same. The mark value is applicable to the current packet.
>
>
>2.
> # iptables -I POSTROUTING -t mangle -j CONNMARK --restore-mark
> # iptables -I POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
> # iptables -I POSTROUTING -t mangle -m ipp2p --ipp2p -j CONNMARK --set-mark 30
> # iptables -I POSTROUTING -t mangle -m ipp2p --bit -j CONNMARK --set-mark 30
> # iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
>
>>>>> Here the mark value of the conntrack is changed, which is applied to the next packet ownwards.
>
>
>Regards.
>Thanks
>
>
>
Enjoi,
Vinod
More information about the netfilter
mailing list