[Oisf-devel] [PATCH 0/3] Add set_mark option

Eric Leblond eric at regit.org
Mon Mar 7 21:18:09 UTC 2011 

Hi,

Le lundi 07 mars 2011 à 22:05 +0100, Victor Julien a écrit :
> I like the idea.

Good to hear that :)

>  I wonder if we should make name it something like
> nfq_set_mark? It's specific to NFQ. I don't think we can translate it to
> IPFW for example... What do you think?

You're right. I don't think this is possible on *BSD. I will modify the
option name before sesending the patch.

BR,
--
Eric

> 
> Cheers,
> Victor
> 
> On 03/07/2011 11:59 AM, Eric Leblond wrote:
> > Hello,
> > 
> > This patchset adds support for a new rule option named 'set_mark'.
> > In NFQ mode, it was possible to ACCEPT or DROP packet but there was
> > no in-between. The idea of the patchset is to provide a way to mark
> > the packet with a specified mark and mask if signature match.
> > 
> > The syntax is simple, just add a set_mark option to the rule:
> > 	set_mark:0x10/0xff
> > 
> > Underlying idea is to be able to mark the packet to interact with all
> > Linux filtering/routing/QoS capabilities.
> > 
> > For example, let's have a rule which may be indicate us that the TCP
> > session could be use to bad thing. In this case, it will be interesting
> > to collect every subsequent packets of the connection. To do so, we
> > could simply add a set_mark:0x1/0x1 to the rule and have Netfilter do the
> > job.
> > On Netfilter side, we could add
> >     iptables -I POSTROUTING -t mangle -m mark --mark 0x1/0x1 -j NFLOG 
> > and use ulogd2 to have this packet loggued to a pcap file.
> > Tf the generic CONNMARK netfilter rules are put then the mark will
> > propagate on all packets of the connection:
> >     iptables -I PREROUTING -t mangle -j CONNMARK --restore-mark    
> >     iptables -I POSTROUTING -t mangle -j CONNMARK --save-mark
> > This is just a example and we could think about differenciated QoS or
> > even selective NAT to be able for example to redirect a suspect IP to
> > a honeypot.
> > 
> > Eric Leblond (3):
> >   Add support for 'set_mark' keyword
> >   set_mark: handle feature in NFQ.
> >   detect: Register 'set_mark' feature
> > 
> >  src/Makefile.am   |    1 +
> >  src/decode.h      |    1 +
> >  src/detect-mark.c |  312 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  src/detect-mark.h |   61 +++++++++++
> >  src/detect.c      |    4 +
> >  src/detect.h      |    7 ++
> >  src/source-nfq.c  |   32 +++++-
> >  7 files changed, 415 insertions(+), 3 deletions(-)
> >  create mode 100644 src/detect-mark.c
> >  create mode 100644 src/detect-mark.h
> > 
> > BR,
> 
> 

-- 
Eric Leblond <eric at regit.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110307/2c6e5558/attachment.sig>

More information about the Oisf-devel mailing list