Annotation of embedaddon/dnsmasq/contrib/conntrack/README, revision 1.1.1.2
1.1 misho 1: Linux iptables includes that ability to mark individual network packets
2: with a "firewall mark". Additionally there is a component called
3: "conntrack" which tries to string sequences of related packets together
4: into a "connection" (it even relates sequences of UDP and ICMP packets).
5: There is a related mark for a connection called a "connection mark".
6: Marks can be copied freely between the firewall and connection marks
7:
8: Using these two features it become possible to tag all related traffic
9: in arbitrary ways, eg authenticated users, traffic from a particular IP,
10: port, etc. Unfortunately any kind of "proxy" breaks this relationship
11: because network packets go in one side of the proxy and a completely new
12: connection comes out of the other side. However, sometimes, we want to
13: maintain that relationship through the proxy and continue the connection
14: mark on packets upstream of our proxy
15:
1.1.1.2 ! misho 16: Dnsmasq includes such a feature enabled by the --conntrack
1.1 misho 17: option. This allows, for example, using iptables to mark traffic from
18: a particular IP, and that mark to be persisted to requests made *by*
1.1.1.2 ! misho 19: Dnsmasq. Such a feature could be useful for bandwidth accounting,
1.1 misho 20: captive portals and the like. Note a similar feature has been
21: implemented in Squid 2.2
22:
23:
24: As an example consider the following iptables rules:
25:
26:
27: 1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
28: 2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137
29: -j MARK --set-mark 137
30: 3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
31:
32: 4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark
33:
34: 1-3) are all applied to the PREROUTING table and affect all packets
35: entering the firewall.
36:
37: 1) copies any existing connection mark into the firewall mark. 2) Checks
38: the packet not already marked and if not applies an arbitrary mark based
39: on IP address. 3) Saves the firewall mark back to the connection mark
40: (which will persist it across related packets)
41:
42: 4) is applied to the OUTPUT table, which is where we first see packets
1.1.1.2 ! misho 43: generated locally. Dnsmasq will have already copied the firewall mark
1.1 misho 44: from the request, across to the new packet, and so all that remains is
45: for iptables to copy it to the connection mark so it's persisted across
46: packets.
47:
48: Note: iptables can be quite confusing to the beginner. The following
49: diagram is extremely helpful in understanding the flows
50: http://linux-ip.net/nf/nfk-traversal.png
51: Additionally the following URL contains a useful "starting guide" on
52: linux connection tracking/marking
53: http://home.regit.org/netfilter-en/netfilter-connmark/
54:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to README CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / contrib / conntrack