[Oisf-devel] [PATCH 0/3] Add set_mark option

Victor Julien victor at inliniac.net
Mon Mar 7 21:05:25 UTC 2011 

I like the idea. I wonder if we should make name it something like
nfq_set_mark? It's specific to NFQ. I don't think we can translate it to
IPFW for example... What do you think?

Cheers,
Victor

On 03/07/2011 11:59 AM, Eric Leblond wrote:
> Hello,
> 
> This patchset adds support for a new rule option named 'set_mark'.
> In NFQ mode, it was possible to ACCEPT or DROP packet but there was
> no in-between. The idea of the patchset is to provide a way to mark
> the packet with a specified mark and mask if signature match.
> 
> The syntax is simple, just add a set_mark option to the rule:
> 	set_mark:0x10/0xff
> 
> Underlying idea is to be able to mark the packet to interact with all
> Linux filtering/routing/QoS capabilities.
> 
> For example, let's have a rule which may be indicate us that the TCP
> session could be use to bad thing. In this case, it will be interesting
> to collect every subsequent packets of the connection. To do so, we
> could simply add a set_mark:0x1/0x1 to the rule and have Netfilter do the
> job.
> On Netfilter side, we could add
>     iptables -I POSTROUTING -t mangle -m mark --mark 0x1/0x1 -j NFLOG 
> and use ulogd2 to have this packet loggued to a pcap file.
> Tf the generic CONNMARK netfilter rules are put then the mark will
> propagate on all packets of the connection:
>     iptables -I PREROUTING -t mangle -j CONNMARK --restore-mark    
>     iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
> This is just a example and we could think about differenciated QoS or
> even selective NAT to be able for example to redirect a suspect IP to
> a honeypot.
> 
> Eric Leblond (3):
>   Add support for 'set_mark' keyword
>   set_mark: handle feature in NFQ.
>   detect: Register 'set_mark' feature
> 
>  src/Makefile.am   |    1 +
>  src/decode.h      |    1 +
>  src/detect-mark.c |  312 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  src/detect-mark.h |   61 +++++++++++
>  src/detect.c      |    4 +
>  src/detect.h      |    7 ++
>  src/source-nfq.c  |   32 +++++-
>  7 files changed, 415 insertions(+), 3 deletions(-)
>  create mode 100644 src/detect-mark.c
>  create mode 100644 src/detect-mark.h
> 
> BR,


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list