Annotation of embedaddon/dnsmasq/contrib/conntrack/README, revision 1.1
1.1 ! misho 1: Linux iptables includes that ability to mark individual network packets
! 2: with a "firewall mark". Additionally there is a component called
! 3: "conntrack" which tries to string sequences of related packets together
! 4: into a "connection" (it even relates sequences of UDP and ICMP packets).
! 5: There is a related mark for a connection called a "connection mark".
! 6: Marks can be copied freely between the firewall and connection marks
! 7:
! 8: Using these two features it become possible to tag all related traffic
! 9: in arbitrary ways, eg authenticated users, traffic from a particular IP,
! 10: port, etc. Unfortunately any kind of "proxy" breaks this relationship
! 11: because network packets go in one side of the proxy and a completely new
! 12: connection comes out of the other side. However, sometimes, we want to
! 13: maintain that relationship through the proxy and continue the connection
! 14: mark on packets upstream of our proxy
! 15:
! 16: DNSMasq includes such a feature enabled by the --conntrack
! 17: option. This allows, for example, using iptables to mark traffic from
! 18: a particular IP, and that mark to be persisted to requests made *by*
! 19: DNSMasq. Such a feature could be useful for bandwidth accounting,
! 20: captive portals and the like. Note a similar feature has been
! 21: implemented in Squid 2.2
! 22:
! 23:
! 24: As an example consider the following iptables rules:
! 25:
! 26:
! 27: 1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
! 28: 2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137
! 29: -j MARK --set-mark 137
! 30: 3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
! 31:
! 32: 4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark
! 33:
! 34: 1-3) are all applied to the PREROUTING table and affect all packets
! 35: entering the firewall.
! 36:
! 37: 1) copies any existing connection mark into the firewall mark. 2) Checks
! 38: the packet not already marked and if not applies an arbitrary mark based
! 39: on IP address. 3) Saves the firewall mark back to the connection mark
! 40: (which will persist it across related packets)
! 41:
! 42: 4) is applied to the OUTPUT table, which is where we first see packets
! 43: generated locally. DNSMasq will have already copied the firewall mark
! 44: from the request, across to the new packet, and so all that remains is
! 45: for iptables to copy it to the connection mark so it's persisted across
! 46: packets.
! 47:
! 48: Note: iptables can be quite confusing to the beginner. The following
! 49: diagram is extremely helpful in understanding the flows
! 50: http://linux-ip.net/nf/nfk-traversal.png
! 51: Additionally the following URL contains a useful "starting guide" on
! 52: linux connection tracking/marking
! 53: http://home.regit.org/netfilter-en/netfilter-connmark/
! 54:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>