Request for knowledge update regarding mark and connmark

Marc Haber mh+netfilter at
Wed Apr 6 19:25:21 CEST 2005


I haven't been following netfilter development for a while. My
production boxes are Debian woody and thus do not have very current
netfilter, but sometimes I snoop into later versions trying to see
what's cooking.

I am currently a little bit confused by the appearance of connmark.
The mechanism looks suspiciously similiar to the normal packet mark
mechanism, but is applied to entire connections. How do I use this? Is
it like allowing and denying connections? Do I put a mark on the
connection at the initial packet and the appropriate match will match
on all packets bearing this connection mark? What will packets do that
belong to a RELATED connection? Do they also have the connection mark
of the main connection?

Are there any docs, examples, best-current-practice descriptions about
when to use packet marking and when connection marking?

Additionally, I have always been very reluctant with marking since the
numeric mark seems so prone to collide when packet marking is used
for different purposes. I would like to hear how other people handle
this, maybe even look at some rulesets using marking.

Thanks for enlightening.


