Connmark target

vila at tesla.cujae.edu.cu vila at tesla.cujae.edu.cu
Sat Jun 6 16:49:59 UTC 2009 

Vlad Galu <dudu at dudu.ro> ha escrito:

> On Sat, Jun 6, 2009 at 5:57 AM, <vila at tesla.cujae.edu.cu> wrote:
>> Hi folks!
>>
>> I´m trying to figure out if there is a way to make connection marking in a
>> similar way as the iptables´s CONNMARK target does?
>>
>> Does pf supports this feature?
>>
>> My intentions are to tag an outgoing packet, transfer the tag to the hole
>> connection and then use that tag to mark incoming packets belonging to the
>> same connection.
>>
>> Also, i would like then to use that mark to enqueue marked packets to hfsc
>> clases.
>>
>> I´ve done all of this in linux but never on freebsd, I´ve searched in pf´s
>> man page and the FAQ without success.
>>
>> thanks in advance,
>>
>> evelio vila
>
>    Hi evelio, see below:
> -- cut here --
>      tag <string>
>            Packets matching this rule will be tagged with the specified
>            string.  The tag acts as an internal marker that can be used to
>            identify these packets later on.  This can be used, for    
> example, to
>            provide trust between interfaces and to determine if packets have
>            been processed by translation rules.  Tags are "sticky", meaning
>            that the packet will be tagged even if the rule is not the last
>            matching rule.  Further matching rules can replace the tag with a
>            new one but will not remove a previously applied tag.  A packet is
>            only ever assigned one tag at a time.  Packet tagging can be done
>            during nat, rdr, or binat rules in addition to filter rules.  Tags
>            take the same macros as labels (see above).
>
>      tagged <string>
>            Used with filter or translation rules to specify that packets must
>            already be tagged with the given tag in order to match the rule.
>            Inverse tag matching can also be done by specifying the ! operator
>            before the tagged keyword.
> -- and here --
>
>  Anyway, I believe that keeping state for the desired outgoing
> connections should be enough all by itself. You would simply add the

Indeed no,  what i want is also to mark the connection to be able then
to mark incoming packets beloging to the same connection.

> "queue <queue>" directive at the end of your pass out rule, even
> though the interface packets go out through is the "external" one, and
> you want to do shaping on the "internal" one but, as I understand, for
> that you also need floating (not if-bound) states. If I'm wrong, I'd

i am not sure what you mean with "floating (not if-bound) states"
could you please explain this.
> like somebody with better pf knowledge to correct me :)
>

thanks for your quick answer vlad.

evelio vila



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com

More information about the freebsd-pf mailing list