Date: Sat, 6 Jun 2009 08:39:42 +0300 From: Vlad Galu <dudu@dudu.ro> To: vila@tesla.cujae.edu.cu Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target Message-ID: <ad79ad6b0906052239n7102eb80lc9eab527aeb9d689@mail.gmail.com> In-Reply-To: <20090605225730.wrvm0ae74kco0cws@correo.cujae.edu.cu> References: <20090605225730.wrvm0ae74kco0cws@correo.cujae.edu.cu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 6, 2009 at 5:57 AM, <vila@tesla.cujae.edu.cu> wrote:
> Hi folks!
>
> I=B4m trying to figure out if there is a way to make connection marking i=
n a
> similar way as the iptables=B4s CONNMARK target does?
>
> Does pf supports this feature?
>
> My intentions are to tag an outgoing packet, transfer the tag to the hole
> connection and then use that tag to mark incoming packets belonging to th=
e
> same connection.
>
> Also, i would like then to use that mark to enqueue marked packets to hfs=
c
> clases.
>
> I=B4ve done all of this in linux but never on freebsd, I=B4ve searched in=
pf=B4s
> man page and the FAQ without success.
>
> thanks in advance,
>
> evelio vila
Hi evelio, see below:
-- cut here --
tag <string>
Packets matching this rule will be tagged with the specified
string. The tag acts as an internal marker that can be used to
identify these packets later on. This can be used, for example,=
to
provide trust between interfaces and to determine if packets hav=
e
been processed by translation rules. Tags are "sticky", meaning
that the packet will be tagged even if the rule is not the last
matching rule. Further matching rules can replace the tag with =
a
new one but will not remove a previously applied tag. A packet =
is
only ever assigned one tag at a time. Packet tagging can be don=
e
during nat, rdr, or binat rules in addition to filter rules. Ta=
gs
take the same macros as labels (see above).
tagged <string>
Used with filter or translation rules to specify that packets mu=
st
already be tagged with the given tag in order to match the rule.
Inverse tag matching can also be done by specifying the ! operat=
or
before the tagged keyword.
-- and here --
Anyway, I believe that keeping state for the desired outgoing
connections should be enough all by itself. You would simply add the
"queue <queue>" directive at the end of your pass out rule, even
though the interface packets go out through is the "external" one, and
you want to do shaping on the "internal" one but, as I understand, for
that you also need floating (not if-bound) states. If I'm wrong, I'd
like somebody with better pf knowledge to correct me :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ad79ad6b0906052239n7102eb80lc9eab527aeb9d689>