From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 16:49:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 332E7106564A for ; Sat, 6 Jun 2009 16:49:59 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx1.cujae.edu.cu (mx1.cujae.edu.cu [200.55.139.24]) by mx1.freebsd.org (Postfix) with ESMTP id CFDC18FC08 for ; Sat, 6 Jun 2009 16:49:57 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx1.cujae.edu.cu (Postfix) with ESMTP id AAE2C1AEA4 for ; Sat, 6 Jun 2009 11:34:52 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id B3B5A407B; Sat, 6 Jun 2009 13:04:18 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 3082E4078 for ; Sat, 6 Jun 2009 13:04:18 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sat, 06 Jun 2009 12:49:49 -0400 Message-ID: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> Date: Sat, 06 Jun 2009 12:49:49 -0400 From: vila@tesla.cujae.edu.cu To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 16:49:59 -0000 Vlad Galu ha escrito: > On Sat, Jun 6, 2009 at 5:57 AM, wrote: >> Hi folks! >> >> I=B4m trying to figure out if there is a way to make connection marking i= n a >> similar way as the iptables=B4s CONNMARK target does? >> >> Does pf supports this feature? >> >> My intentions are to tag an outgoing packet, transfer the tag to the hole >> connection and then use that tag to mark incoming packets belonging to th= e >> same connection. >> >> Also, i would like then to use that mark to enqueue marked packets to hfs= c >> clases. >> >> I=B4ve done all of this in linux but never on freebsd, I=B4ve searched in= pf=B4s >> man page and the FAQ without success. >> >> thanks in advance, >> >> evelio vila > > Hi evelio, see below: > -- cut here -- > tag > Packets matching this rule will be tagged with the specified > string. The tag acts as an internal marker that can be used to > identify these packets later on. This can be used, for =20 > example, to > provide trust between interfaces and to determine if packets ha= ve > been processed by translation rules. Tags are "sticky", meanin= g > that the packet will be tagged even if the rule is not the last > matching rule. Further matching rules can replace the tag with= a > new one but will not remove a previously applied tag. A packet= is > only ever assigned one tag at a time. Packet tagging can be do= ne > during nat, rdr, or binat rules in addition to filter rules. T= ags > take the same macros as labels (see above). > > tagged > Used with filter or translation rules to specify that packets m= ust > already be tagged with the given tag in order to match the rule= . > Inverse tag matching can also be done by specifying the ! opera= tor > before the tagged keyword. > -- and here -- > > Anyway, I believe that keeping state for the desired outgoing > connections should be enough all by itself. You would simply add the Indeed no, what i want is also to mark the connection to be able then to mark incoming packets beloging to the same connection. > "queue " directive at the end of your pass out rule, even > though the interface packets go out through is the "external" one, and > you want to do shaping on the "internal" one but, as I understand, for > that you also need floating (not if-bound) states. If I'm wrong, I'd i am not sure what you mean with "floating (not if-bound) states" could you please explain this. > like somebody with better pf knowledge to correct me :) > thanks for your quick answer vlad. evelio vila ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com