conntrack and connmark

rhine2 · 11-23-2009, 03:45 PM

I am little confused with Netfilter marks and iptables CONNMARK. Please help clear the understanding.

example:
iptables -t mangle -A mychain -j CONNMARK --restore-mark --mask 0xff
iptables -t mangle -A mychain -m connmark !--mark 0/0xff00 -j RETURN

The first one is CONNMARK target is trying to restore the "mark" made by what? Is it connection tracking? But markings are not done at ip_conntrack is it? packet marking is done at the iptables - right? I am confused

Also, the second one in the rule, it is trying to match a mark if it is non-zero and if there is a match it returns? Please help untangle my misunderstanding.

nimnull22 · 11-23-2009, 04:28 PM

May be that http://www.frozentux.net/documents/iptables-tutorial/, helps you.

rhine2 · 11-23-2009, 09:59 PM

Quote:

Originally Posted by nimnull22

May be that http://www.frozentux.net/documents/iptables-tutorial/, helps you.

Not really. Doesn't explain what I want.

nimnull22 · 11-23-2009, 10:37 PM

I don't know but, if you prefer I show you:

Option: --restore-mark
Explanation: This target option restores the packet mark from the connection mark as defined by the CONNMARK.

English is not my native language, but I understood.

rhine2 · 11-23-2009, 11:02 PM

You didn't read/understand properly what I am asking. I am asking what is this "mark" it is trying to restore? Where is this mark come from? What process puts the mark on the packet? What is the basis of this mark?

rhine2 · 11-24-2009, 11:39 PM

No one knows the answer? Strange!

landysaccount · 11-25-2009, 08:05 AM

Post your entire script so we can take a look at it.