[Firehol-devs] Mark + CONNMARK

Costa Tsaousis costa at tsaousis.gr
Fri Nov 30 00:57:36 CET 2007


Pieter Smit wrote:
> I am using firehol and would now like to start using it for policy
> routing.
>
> Specifically using multiple providers, and servers nat'ed to different
> public ip's.
>
> What i need is to save a incoming connection's interface (and external
> ip) using
> --save-mark [--mask mask]
> Copy the netfilter packet mark value to the connection mark. If
> a mask is specified then only those bits are copied.
>
> then in the pre-routing
> --restore-mark [--mask mask]
> Copy the connection mark value to the packet. If a mask is spec‐
> ified then only those bits are copied. This is only valid in the
> mangle table.
>
> this will allow me to use different routing tables for packets to and
> from internal servers based on the saved mark to keep all packets
> going in and out of the same interface/provider the session was
> started on.
>
> Thus once a connection has been established we use the CONNMARK to
> keep same mark on all packets, and then ip rule to pick routing table.
>
> Thus how would i use --restore-mark and --save-mark under firehol ?
> ------------------------------------------------------------------------

How are you going to use it with policy based routing?

In general firehol already supports marks. If I understand correctly
what is missing is restoring and saving the CONNMARK.
If you send me some information on the specific case you are going to
use it, I will help further.

Costa





More information about the Firehol-devs mailing list