From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 16:55:47 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43938106564A for ; Sat, 6 Jun 2009 16:55:47 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-gx0-f207.google.com (mail-gx0-f207.google.com [209.85.217.207]) by mx1.freebsd.org (Postfix) with ESMTP id EEA748FC18 for ; Sat, 6 Jun 2009 16:55:46 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by mail-gx0-f207.google.com with SMTP id 3so2803774gxk.19 for ; Sat, 06 Jun 2009 09:55:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=OiEYXW3Sjd7Ugf7fm/LvcxP1rjf4xANCc8t2MsrF3Mo=; b=TN7iIPjTKtwRKQsMXsAFnLslGyLPiYrbw/LQ+AKC4bkYQADjnZeblSH0lEE4c2yxvf /Lm6Ih4w2+0cGTxynyBMAHDD/fJU1hSXlOp9OYWMO17VS5DPjRKlfX+7ST+f5BZbJaJb Pq0MRPDdp07ItYcFfFrz/t+xEXS0ddu9t1J8g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=YFapdV+JINSIfM96E+ZWyAsTH5N7hR3Tf+ZtI/ekubfUYocgFRdhBUbWaqtcT6tLw4 PMmE6d45LKitgZ02+92VdOIWFoy5GYZ4xCxVKA0CycWaBkU2qa16TWw0h7d8uyviWsa9 sXLfRna9mnLq17Ju5Yq7cO7XyaVwU70Fh9TWM= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.151.74.2 with SMTP id b2mr8618798ybl.68.1244307346088; Sat, 06 Jun 2009 09:55:46 -0700 (PDT) In-Reply-To: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Sat, 6 Jun 2009 18:55:26 +0200 X-Google-Sender-Auth: c2044b5aac606756 Message-ID: <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> To: vila@tesla.cujae.edu.cu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 16:55:47 -0000 On Sat, Jun 6, 2009 at 6:49 PM, wrote: > Vlad Galu ha escrito: > >> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>> >>> Hi folks! >>> >>> I=B4m trying to figure out if there is a way to make connection marking= in >>> a >>> similar way as the iptables=B4s CONNMARK target does? >>> >>> Does pf supports this feature? >>> >>> My intentions are to tag an outgoing packet, transfer the tag to the ho= le >>> connection and then use that tag to mark incoming packets belonging to >>> the >>> same connection. >>> >>> Also, i would like then to use that mark to enqueue marked packets to >>> hfsc >>> clases. >>> >>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searched = in >>> pf=B4s >>> man page and the FAQ without success. >>> >>> thanks in advance, >>> >>> evelio vila >> >> =A0 Hi evelio, see below: >> -- cut here -- >> =A0 =A0 tag >> =A0 =A0 =A0 =A0 =A0 Packets matching this rule will be tagged with the s= pecified >> =A0 =A0 =A0 =A0 =A0 string. =A0The tag acts as an internal marker that c= an be used to >> =A0 =A0 =A0 =A0 =A0 identify these packets later on. =A0This can be used= , for >> example, to >> =A0 =A0 =A0 =A0 =A0 provide trust between interfaces and to determine if= packets >> have >> =A0 =A0 =A0 =A0 =A0 been processed by translation rules. =A0Tags are "st= icky", meaning >> =A0 =A0 =A0 =A0 =A0 that the packet will be tagged even if the rule is n= ot the last >> =A0 =A0 =A0 =A0 =A0 matching rule. =A0Further matching rules can replace= the tag with >> a >> =A0 =A0 =A0 =A0 =A0 new one but will not remove a previously applied tag= . =A0A packet >> is >> =A0 =A0 =A0 =A0 =A0 only ever assigned one tag at a time. =A0Packet tagg= ing can be >> done >> =A0 =A0 =A0 =A0 =A0 during nat, rdr, or binat rules in addition to filte= r rules. >> =A0Tags >> =A0 =A0 =A0 =A0 =A0 take the same macros as labels (see above). >> >> =A0 =A0 tagged >> =A0 =A0 =A0 =A0 =A0 Used with filter or translation rules to specify tha= t packets >> must >> =A0 =A0 =A0 =A0 =A0 already be tagged with the given tag in order to mat= ch the rule. >> =A0 =A0 =A0 =A0 =A0 Inverse tag matching can also be done by specifying = the ! >> operator >> =A0 =A0 =A0 =A0 =A0 before the tagged keyword. >> -- and here -- >> >> =A0Anyway, I believe that keeping state for the desired outgoing >> connections should be enough all by itself. You would simply add the > > Indeed no, =A0what i want is also to mark the connection to be able then > to mark incoming packets beloging to the same connection. > >> "queue " directive at the end of your pass out rule, even >> though the interface packets go out through is the "external" one, and >> you want to do shaping on the "internal" one but, as I understand, for >> that you also need floating (not if-bound) states. If I'm wrong, I'd > > i am not sure what you mean with "floating (not if-bound) states" > could you please explain this. >> >> like somebody with better pf knowledge to correct me :) pf(4) is not iptables. So before using it read more about it. http://home.nuug.no/~peter/pf/en/ http://www.openbsd.org/faq/pf > thanks for your quick answer vlad. > > evelio vila > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y > Educaci=F3n Energ=E9tica > 9 - 12 de Junio 2009, Palacio de las Convenciones > ...Por una cultura energ=E9tica sustentable > www.ciercuba.com_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal