LARTC - Nov 2005 - ftp connmark

I saw this snippet from 
Daniel Chemko dchemko@smgtec.com 
Mon, 31 May 2004 09:30:43 -0700 


# Egress marking (mostly for QOS operations)
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
--set-mark 0x111
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark



I want to mark many packets, including FTP.

So above these lines, I have a few more lines in my script. Like the
following...

iptables -t mangle -A POSTROUTING  -p icmp -j MARK --set-mark 0x110

iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
--set-mark 0x111
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

So, when an ICMP packet comes to the 2nd (''restore-mark'')
line, it is already marked with 0x110. Will the restore-mark mark the packet
with 0 since there is no connmark set for ICMP? Or it will leave the packet
untouched?
In that case, I can not redirect the ICMP packet to the class I defined for it. 
What is the solution for this issue? What to do if I have different
classification marks, some use connmark and some does not(just fw mark)?

regards
Salim



_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

The line:
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
Will cause the packet to not be processed any ruther if the mark is not 0.
You can place this rule after any --set-mark rules you don''t want to
change
or save.  After every mark, or group of similar marks, that you do want to
save; I suggest adding:
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
so the mark gets set, saved, and then no longer modified. Plenty of other
ways to do this, but I think you can get the basic idea? Using these 2 lines
you can prevent further processing of marked packets at any point in the
chain, and optionally save to the connection before hand.

- Jody

On 11/24/05, Salim <salim.si@askey.com.tw> wrote:
>
> I saw this snippet from
> *Daniel Chemko *dchemko@smgtec.com <dchemko%40smgtec.com>
> *Mon, 31 May 2004 09:30:43 -0700*
>
>
> # Egress marking (mostly for QOS operations)
> iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
> --set-mark 0x111
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
>
>
> I want to mark many packets, including FTP.
>
> So above these lines, I have a few more lines in my script. Like the
> following...
>
> *iptables -t mangle -A POSTROUTING  -p icmp -j MARK --set-mark 0x110*
> **
> iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK
> --set-mark 0x111
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
>
> So, when an ICMP packet comes to the 2nd (''restore-mark'')
line, it is
> already marked with 0x110. Will the restore-mark mark the packet with 0
> since there is no connmark set for ICMP? Or it will leave the packet
> untouched?
> In that case, I can not redirect the ICMP packet to the class I defined
> for it.
> What is the solution for this issue? What to do if I have different
> classification marks, some use connmark and some does not(just fw mark)?
>
> regards
> Salim
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc