On Fri, 26 Oct 2001, Manon F. Goo wrote:
>
> >
> > Aha, RGB! a customer for the skb->{security,ipcb,fwmark} mechanism.
> > Well maybe.
> > skb->security (16-bit)
> > skb->nfmark (much contention for this field)
>
> is it planed to be able to set nfmark value per connecction for later
> processing with iptables ?
There is an iptablesmodule called CONNMARK for this purpose :)
you mark the connection with a mark and all packets in that connection
inherit that mark. But I don't think CONNMARK is part of the patch-o-matic
:( So you'll have to search the netfilter-devel archives I think.
Ahh I actually had the patch here... it's a patch against the netfilter
CVS, it's probably not up to date so you might have to apply some hunks by
hand. And there's a bug in this patch...
++ case IPT_CONNMARK_SAVE:
++ ct->mark = (*pskb)->nfmark;
++ break;
that should read
++ case IPT_CONNMARK_SAVE:
++ (*pskb)->nfmark = ct->mark;
++ break;
I've never actually used it but people have said that it works :)
Good luck!
/Martin
Never argue with an idiot. They drag you down to their level, then beat you
with experience.
netfilter-CONNMARK.patch
Description: Text document
|