[BACK]Return to README CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / contrib / conntrack
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / contrib / conntrack / README
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Mon Jul 29 19:37:40 2013 UTC (11 years ago) by misho
Branches: elwix, dnsmasq, MAIN
CVS tags: v2_76p1, v2_71, v2_66p0, v2_66, HEAD
dnsmasq

    1: Linux iptables includes that ability to mark individual network packets
    2: with a "firewall mark".  Additionally there is a component called
    3: "conntrack" which tries to string sequences of related packets together
    4: into a "connection" (it even relates sequences of UDP and ICMP packets).
    5:  There is a related mark for a connection called a "connection mark".
    6: Marks can be copied freely between the firewall and connection marks
    7: 
    8: Using these two features it become possible to tag all related traffic
    9: in arbitrary ways, eg authenticated users, traffic from a particular IP,
   10: port, etc. Unfortunately any kind of "proxy" breaks this relationship
   11: because network packets go in one side of the proxy and a completely new
   12: connection comes out of the other side.  However, sometimes, we want to
   13: maintain that relationship through the proxy and continue the connection
   14: mark on packets upstream of our proxy
   15: 
   16: DNSMasq includes such a feature enabled by the --conntrack
   17: option. This allows, for example, using iptables to mark traffic from
   18: a particular IP, and that mark to be persisted to requests made *by*
   19: DNSMasq. Such a feature could be useful for bandwidth accounting,
   20: captive portals and the like. Note a similar feature has been 
   21: implemented in Squid 2.2
   22: 
   23: 
   24: As an example consider the following iptables rules:
   25: 
   26: 
   27: 1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
   28: 2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137
   29: -j MARK --set-mark 137
   30: 3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
   31: 
   32: 4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark
   33: 
   34: 1-3) are all applied to the PREROUTING table and affect all packets
   35: entering the firewall.
   36: 
   37: 1) copies any existing connection mark into the firewall mark. 2) Checks
   38: the packet not already marked and if not applies an arbitrary mark based
   39: on IP address. 3) Saves the firewall mark back to the connection mark
   40: (which will persist it across related packets)
   41: 
   42: 4) is applied to the OUTPUT table, which is where we first see packets
   43: generated locally. DNSMasq will have already copied the firewall mark
   44: from the request, across to the new packet, and so all that remains is
   45: for iptables to copy it to the connection mark so it's persisted across
   46: packets.
   47: 
   48: Note: iptables can be quite confusing to the beginner. The following
   49: diagram is extremely helpful in understanding the flows
   50: 	http://linux-ip.net/nf/nfk-traversal.png
   51: Additionally the following URL contains a useful "starting guide" on
   52: linux connection tracking/marking
   53: 	http://home.regit.org/netfilter-en/netfilter-connmark/
   54:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>