Hi all! On http://lartc.org/howto/lartc.adv-filter.html I read that a classifiers available bases the decision on how the firewall has marked the packet and on http://lartc.org/howto/lartc.qdisc.filters.html the following example: "tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:1" "iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6" My question is: In the actuality exist a way of build a classifier based on netfilter mark value associated with a connection instead of netfilter mark value associated with the packet? Thanks in advance Salute Frank Abel __________________________________________ XIII Convencin Cientfica de Ingeniera y Arquitectura 28/noviembre al 1/diciembre de 2006 Cujae, Ciudad de la Habana, Cuba http://www.cujae.edu.cu/eventos/convencion
El Monday 19 June 2006 23:24, Frank Abel Cancio Bello escribió:> Hi all! > > On http://lartc.org/howto/lartc.adv-filter.html I read that a classifiers > available bases the decision on how the firewall has marked the packet and > on http://lartc.org/howto/lartc.qdisc.filters.html the following example: > > "tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid > 1:1" "iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6" > > My question is: > > In the actuality exist a way of build a classifier based on netfilter mark > value associated with a connection instead of netfilter mark value > associated with the packet?yes, iptables CONNMARK associate MARKs wtih conntrack''ed connections. It is in kernel''s mainlin since 2.6.12, you can find some introductory infromation[1] over internet or do man iptables for furter information. [1]http://home.regit.org/?page_id=7 -- Luciano
On Monday 19 June 2006 10:55 pm, Luciano Ruete wrote:> El Monday 19 June 2006 23:24, Frank Abel Cancio Bello escribió: > > Hi all! > > > > On http://lartc.org/howto/lartc.adv-filter.html I read that a classifiers > > available bases the decision on how the firewall has marked the packet > > and on http://lartc.org/howto/lartc.qdisc.filters.html the following > > example: > > > > "tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid > > 1:1" "iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6" > > > > My question is: > > > > In the actuality exist a way of build a classifier based on netfilter > > mark value associated with a connection instead of netfilter mark value > > associated with the packet? > > yes, iptables CONNMARK associate MARKs wtih conntrack''ed connections. > > It is in kernel''s mainlin since 2.6.12, you can find some introductory > infromation[1] over internet or do man iptables for furter information. > > [1]http://home.regit.org/?page_id=7Thanks! All seem that is impossible make a tc filter with connmark directly. Salute Frank Abel __________________________________________ XIII Convención Científica de Ingeniería y Arquitectura 28/noviembre al 1/diciembre de 2006 Cujae, Ciudad de la Habana, Cuba http://www.cujae.edu.cu/eventos/convencion