Date: Sat, 6 Jun 2009 18:55:26 +0200 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: vila@tesla.cujae.edu.cu Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target Message-ID: <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> In-Reply-To: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 6, 2009 at 6:49 PM, <vila@tesla.cujae.edu.cu> wrote: > Vlad Galu <dudu@dudu.ro> ha escrito: > >> On Sat, Jun 6, 2009 at 5:57 AM, <vila@tesla.cujae.edu.cu> wrote: >>> >>> Hi folks! >>> >>> I´m trying to figure out if there is a way to make connection marking in >>> a >>> similar way as the iptables´s CONNMARK target does? >>> >>> Does pf supports this feature? >>> >>> My intentions are to tag an outgoing packet, transfer the tag to the hole >>> connection and then use that tag to mark incoming packets belonging to >>> the >>> same connection. >>> >>> Also, i would like then to use that mark to enqueue marked packets to >>> hfsc >>> clases. >>> >>> I´ve done all of this in linux but never on freebsd, I´ve searched in >>> pf´s >>> man page and the FAQ without success. >>> >>> thanks in advance, >>> >>> evelio vila >> >> Hi evelio, see below: >> -- cut here -- >> tag <string> >> Packets matching this rule will be tagged with the specified >> string. The tag acts as an internal marker that can be used to >> identify these packets later on. This can be used, for >> example, to >> provide trust between interfaces and to determine if packets >> have >> been processed by translation rules. Tags are "sticky", meaning >> that the packet will be tagged even if the rule is not the last >> matching rule. Further matching rules can replace the tag with >> a >> new one but will not remove a previously applied tag. A packet >> is >> only ever assigned one tag at a time. Packet tagging can be >> done >> during nat, rdr, or binat rules in addition to filter rules. >> Tags >> take the same macros as labels (see above). >> >> tagged <string> >> Used with filter or translation rules to specify that packets >> must >> already be tagged with the given tag in order to match the rule. >> Inverse tag matching can also be done by specifying the ! >> operator >> before the tagged keyword. >> -- and here -- >> >> Anyway, I believe that keeping state for the desired outgoing >> connections should be enough all by itself. You would simply add the > > Indeed no, what i want is also to mark the connection to be able then > to mark incoming packets beloging to the same connection. > >> "queue <queue>" directive at the end of your pass out rule, even >> though the interface packets go out through is the "external" one, and >> you want to do shaping on the "internal" one but, as I understand, for >> that you also need floating (not if-bound) states. If I'm wrong, I'd > > i am not sure what you mean with "floating (not if-bound) states" > could you please explain this. >> >> like somebody with better pf knowledge to correct me :) pf(4) is not iptables. So before using it read more about it. http://home.nuug.no/~peter/pf/en/ http://www.openbsd.org/faq/pf > thanks for your quick answer vlad. > > evelio vila > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y > Educación Energética > 9 - 12 de Junio 2009, Palacio de las Convenciones > ...Por una cultura energética sustentable > www.ciercuba.com_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a542da30906060955i4a1097bcpad5fd78587d7e169>