Connmark target

vila at tesla.cujae.edu.cu vila at tesla.cujae.edu.cu
Sat Jun 6 17:15:52 UTC 2009 

Ermal Luçi <eri at freebsd.org> ha escrito:

> On Sat, Jun 6, 2009 at 6:49 PM, <vila at tesla.cujae.edu.cu> wrote:
>> Vlad Galu <dudu at dudu.ro> ha escrito:
>>
>>> On Sat, Jun 6, 2009 at 5:57 AM, <vila at tesla.cujae.edu.cu> wrote:
>>>>
>>>> Hi folks!
>>>>
>>>> I´m trying to figure out if there is a way to make connection marking in
>>>> a
>>>> similar way as the iptables´s CONNMARK target does?
>>>>
>>>> Does pf supports this feature?
>>>>
>>>> My intentions are to tag an outgoing packet, transfer the tag to the hole
>>>> connection and then use that tag to mark incoming packets belonging to
>>>> the
>>>> same connection.
>>>>
>>>> Also, i would like then to use that mark to enqueue marked packets to
>>>> hfsc
>>>> clases.
>>>>
>>>> I´ve done all of this in linux but never on freebsd, I´ve searched in
>>>> pf´s
>>>> man page and the FAQ without success.
>>>>
>>>> thanks in advance,
>>>>
>>>> evelio vila
>>>
>>>   Hi evelio, see below:
>>> -- cut here --
>>>     tag <string>
>>>           Packets matching this rule will be tagged with the specified
>>>           string.  The tag acts as an internal marker that can be used to
>>>           identify these packets later on.  This can be used, for
>>> example, to
>>>           provide trust between interfaces and to determine if packets
>>> have
>>>           been processed by translation rules.  Tags are "sticky", meaning
>>>           that the packet will be tagged even if the rule is not the last
>>>           matching rule.  Further matching rules can replace the tag with
>>> a
>>>           new one but will not remove a previously applied tag.  A packet
>>> is
>>>           only ever assigned one tag at a time.  Packet tagging can be
>>> done
>>>           during nat, rdr, or binat rules in addition to filter rules.
>>>  Tags
>>>           take the same macros as labels (see above).
>>>
>>>     tagged <string>
>>>           Used with filter or translation rules to specify that packets
>>> must
>>>           already be tagged with the given tag in order to match the rule.
>>>           Inverse tag matching can also be done by specifying the !
>>> operator
>>>           before the tagged keyword.
>>> -- and here --
>>>
>>>  Anyway, I believe that keeping state for the desired outgoing
>>> connections should be enough all by itself. You would simply add the
>>
>> Indeed no,  what i want is also to mark the connection to be able then
>> to mark incoming packets beloging to the same connection.
>>
>>> "queue <queue>" directive at the end of your pass out rule, even
>>> though the interface packets go out through is the "external" one, and
>>> you want to do shaping on the "internal" one but, as I understand, for
>>> that you also need floating (not if-bound) states. If I'm wrong, I'd
>>
>> i am not sure what you mean with "floating (not if-bound) states"
>> could you please explain this.
>>>
>>> like somebody with better pf knowledge to correct me :)
>
> pf(4) is not iptables. So before using it read more about it.
>

I´m aware of that.

I think its pretty obvius that my post is simply trying to figure out  
how to achieve with pf something that i use to do with netfilter.

I´ve read this before but nothing comes up to me.
http://www.openbsd.org/faq/pf/tagging.html


thanks anyway ermal
regards,
evelio vila

> http://home.nuug.no/~peter/pf/en/
> http://www.openbsd.org/faq/pf
>
>
>
>> thanks for your quick answer vlad.
>>
>> evelio vila
>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>> Educación Energética
>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>> ...Por una cultura energética sustentable
>> www.ciercuba.com_______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>
>
>
>
> --
> Ermal
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com

More information about the freebsd-pf mailing list