Ermal Luçi <[email protected]> ha escrito:
On Sat, Jun 6, 2009 at 6:49 PM, <[email protected]> wrote:
Vlad Galu <[email protected]> ha escrito:
On Sat, Jun 6, 2009 at 5:57 AM, <[email protected]> wrote:
Hi folks!
I´m trying to figure out if there is a way to make connection marking in
a
similar way as the iptables´s CONNMARK target does?
Does pf supports this feature?
My intentions are to tag an outgoing packet, transfer the tag to the hole
connection and then use that tag to mark incoming packets belonging to
the
same connection.
Also, i would like then to use that mark to enqueue marked packets to
hfsc
clases.
I´ve done all of this in linux but never on freebsd, I´ve searched in
pf´s
man page and the FAQ without success.
thanks in advance,
evelio vila
Hi evelio, see below:
-- cut here --
tag <string>
Packets matching this rule will be tagged with the specified
string. The tag acts as an internal marker that can be used to
identify these packets later on. This can be used, for
example, to
provide trust between interfaces and to determine if packets
have
been processed by translation rules. Tags are "sticky", meaning
that the packet will be tagged even if the rule is not the last
matching rule. Further matching rules can replace the tag with
a
new one but will not remove a previously applied tag. A packet
is
only ever assigned one tag at a time. Packet tagging can be
done
during nat, rdr, or binat rules in addition to filter rules.
Tags
take the same macros as labels (see above).
tagged <string>
Used with filter or translation rules to specify that packets
must
already be tagged with the given tag in order to match the rule.
Inverse tag matching can also be done by specifying the !
operator
before the tagged keyword.
-- and here --
Anyway, I believe that keeping state for the desired outgoing
connections should be enough all by itself. You would simply add the
Indeed no, what i want is also to mark the connection to be able then
to mark incoming packets beloging to the same connection.
"queue <queue>" directive at the end of your pass out rule, even
though the interface packets go out through is the "external" one, and
you want to do shaping on the "internal" one but, as I understand, for
that you also need floating (not if-bound) states. If I'm wrong, I'd
i am not sure what you mean with "floating (not if-bound) states"
could you please explain this.
like somebody with better pf knowledge to correct me :)
pf(4) is not iptables. So before using it read more about it.
I´m aware of that.
I think its pretty obvius that my post is simply trying to figure out
how to achieve with pf something that i use to do with netfilter.
I´ve read this before but nothing comes up to me.
http://www.openbsd.org/faq/pf/tagging.html
thanks anyway ermal
regards,
evelio vila
http://home.nuug.no/~peter/pf/en/
http://www.openbsd.org/faq/pf
thanks for your quick answer vlad.
evelio vila
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
--
Ermal
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
