[Oisf-devel] [PATCH 0/3] Add set_mark option

[Eric Leblond]

Hello,

This patchset adds support for a new rule option named 'set_mark'.
In NFQ mode, it was possible to ACCEPT or DROP packet but there was
no in-between. The idea of the patchset is to provide a way to mark
the packet with a specified mark and mask if signature match.

The syntax is simple, just add a set_mark option to the rule:
	set_mark:0x10/0xff

Underlying idea is to be able to mark the packet to interact with all
Linux filtering/routing/QoS capabilities.

For example, let's have a rule which may be indicate us that the TCP
session could be use to bad thing. In this case, it will be interesting
to collect every subsequent packets of the connection. To do so, we
could simply add a set_mark:0x1/0x1 to the rule and have Netfilter do the
job.
On Netfilter side, we could add
    iptables -I POSTROUTING -t mangle -m mark --mark 0x1/0x1 -j NFLOG 
and use ulogd2 to have this packet loggued to a pcap file.
Tf the generic CONNMARK netfilter rules are put then the mark will
propagate on all packets of the connection:
    iptables -I PREROUTING -t mangle -j CONNMARK --restore-mark    
    iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
This is just a example and we could think about differenciated QoS or
even selective NAT to be able for example to redirect a suspect IP to
a honeypot.

Eric Leblond (3):
  Add support for 'set_mark' keyword
  set_mark: handle feature in NFQ.
  detect: Register 'set_mark' feature

 src/Makefile.am   |    1 +
 src/decode.h      |    1 +
 src/detect-mark.c |  312 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/detect-mark.h |   61 +++++++++++
 src/detect.c      |    4 +
 src/detect.h      |    7 ++
 src/source-nfq.c  |   32 +++++-
 7 files changed, 415 insertions(+), 3 deletions(-)
 create mode 100644 src/detect-mark.c
 create mode 100644 src/detect-mark.h

BR,
-- 
Eric Leblond <eric at regit.org>