Date: Sat, 06 Jun 2009 13:15:45 -0400 From: vila@tesla.cujae.edu.cu To: Ermal =?iso-8859-1?b?THXnaQ==?= <eri@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target Message-ID: <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> In-Reply-To: <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ermal Luçi <eri@freebsd.org> ha escrito: > On Sat, Jun 6, 2009 at 6:49 PM, <vila@tesla.cujae.edu.cu> wrote: >> Vlad Galu <dudu@dudu.ro> ha escrito: >> >>> On Sat, Jun 6, 2009 at 5:57 AM, <vila@tesla.cujae.edu.cu> wrote: >>>> >>>> Hi folks! >>>> >>>> I´m trying to figure out if there is a way to make connection marking in >>>> a >>>> similar way as the iptables´s CONNMARK target does? >>>> >>>> Does pf supports this feature? >>>> >>>> My intentions are to tag an outgoing packet, transfer the tag to the hole >>>> connection and then use that tag to mark incoming packets belonging to >>>> the >>>> same connection. >>>> >>>> Also, i would like then to use that mark to enqueue marked packets to >>>> hfsc >>>> clases. >>>> >>>> I´ve done all of this in linux but never on freebsd, I´ve searched in >>>> pf´s >>>> man page and the FAQ without success. >>>> >>>> thanks in advance, >>>> >>>> evelio vila >>> >>> Hi evelio, see below: >>> -- cut here -- >>> tag <string> >>> Packets matching this rule will be tagged with the specified >>> string. The tag acts as an internal marker that can be used to >>> identify these packets later on. This can be used, for >>> example, to >>> provide trust between interfaces and to determine if packets >>> have >>> been processed by translation rules. Tags are "sticky", meaning >>> that the packet will be tagged even if the rule is not the last >>> matching rule. Further matching rules can replace the tag with >>> a >>> new one but will not remove a previously applied tag. A packet >>> is >>> only ever assigned one tag at a time. Packet tagging can be >>> done >>> during nat, rdr, or binat rules in addition to filter rules. >>> Tags >>> take the same macros as labels (see above). >>> >>> tagged <string> >>> Used with filter or translation rules to specify that packets >>> must >>> already be tagged with the given tag in order to match the rule. >>> Inverse tag matching can also be done by specifying the ! >>> operator >>> before the tagged keyword. >>> -- and here -- >>> >>> Anyway, I believe that keeping state for the desired outgoing >>> connections should be enough all by itself. You would simply add the >> >> Indeed no, what i want is also to mark the connection to be able then >> to mark incoming packets beloging to the same connection. >> >>> "queue <queue>" directive at the end of your pass out rule, even >>> though the interface packets go out through is the "external" one, and >>> you want to do shaping on the "internal" one but, as I understand, for >>> that you also need floating (not if-bound) states. If I'm wrong, I'd >> >> i am not sure what you mean with "floating (not if-bound) states" >> could you please explain this. >>> >>> like somebody with better pf knowledge to correct me :) > > pf(4) is not iptables. So before using it read more about it. > I´m aware of that. I think its pretty obvius that my post is simply trying to figure out how to achieve with pf something that i use to do with netfilter. I´ve read this before but nothing comes up to me. http://www.openbsd.org/faq/pf/tagging.html thanks anyway ermal regards, evelio vila > http://home.nuug.no/~peter/pf/en/ > http://www.openbsd.org/faq/pf > > > >> thanks for your quick answer vlad. >> >> evelio vila >> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y >> Educación Energética >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energética sustentable >> www.ciercuba.com_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > Ermal > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090606131545.kk8k1qf7a8oc4os8>