Книга: Iptables Tutorial 1.2.2
CONNMARK target
CONNMARK target
The CONNMARK target is used to set a mark on a whole connection, much the same way as the MARK target does. It can then be used together with the connmark match to match the connection in the future. For example, say we see a specific pattern in a header, and we don't want to mark just that packet, but the whole connection. The CONNMARK target is a perfect solution in that case.
The CONNMARK target is available in all chains and all tables, but remember that the nat table is only traversed by the first packet in a connection, so the CONNMARK target will have no effect if you try to use it for subsequent packets after the first one in here. It can take one of four different options as seen below.
Table 11-3. CONNMARK target options
Option | --set-mark |
Example | iptables -t nat -A PREROUTING -p tcp --dport 80 -j CONNMARK --set-mark 4 |
Explanation | This option sets a mark on the connection. The mark can be an unsigned long int, which means values between 0 and 4294967295l is valid. Each bit can also be masked by doing --set-mark 12/8. This will only allow the bits in the mask to be set out of all the bits in the mark. In this example, only the 4th bit will be set, not the 3rd. 12 translates to 1100 in binary, and 8 to 1000, and only the bits set in the mask are allowed to be set. Hence, only the 4th bit, or 8, is set in the actual mark. |
Option | --save-mark |
Example | iptables -t mangle -A PREROUTING --dport 80 -j CONNMARK --save-mark |
Explanation | The --save-mark target option is used to save the packet mark into the connection mark. For example, if you have set a packet mark with the MARK target, you can then move this mark to mark the whole connection with the --save-mark match. The mark can also be masked by using the --mask option described further down. |
Option | --restore-mark |
Example | iptables -t mangle -A PREROUTING --dport 80 -j CONNMARK --restore-mark |
Explanation | This target option restores the packet mark from the connection mark as defined by the CONNMARK. A mask can also be defined using the --mask option as seen below. If a mask is set, only the masked options will be set. Note that this target option is only valid for use in the mangle table. |
Option | --mask |
Example | iptables -t mangle -A PREROUTING --dport 80 -j CONNMARK --restore-mark --mask 12 |
Explanation | The --mask option must be used in unison with the --save-mark and --restore-mark options. The --mask option specifies an and-mask that should be applied to the mark values that the other two options will give. For example, if the restored mark from the above example would be 15, it would mean that the mark was 1111 in binary, while the mask is 1100. 1111 and 1100 equals 1100. |
Note Works under Linux kernel 2.6.
- ACCEPT target
- CLASSIFY target
- CLUSTERIP target
- CONNMARK target
- CONNSECMARK target
- DNAT target
- DROP target
- DSCP target
- ECN target
- LOG target options
- MARK target
- MASQUERADE target
- MIRROR target
- NETMAP target
- NFQUEUE target
- NOTRACK target
- QUEUE target
- REDIRECT target
- REJECT target
- RETURN target
- SAME target
- SECMARK target
- SNAT target
- TCPMSS target
- TOS target
- TTL target
- ULOG target
- What's next?