.\" Automatically generated by Pandoc 2.2.1 .nh .\" .TH "firehol\-mark" "5" "Built 12 Apr 2019" "FireHOL Reference" "3.1.6" .hy .SH NAME .PP firehol\-mark \- set a stateful mark from the usermark group .SH SYNOPSIS .PP { mark | mark46 } \f[I]value\f[] \f[I]chain\f[] \f[I]rule\-params\f[] .PP mark4 \f[I]value\f[] \f[I]chain\f[] \f[I]rule\-params\f[] .PP mark6 \f[I]value\f[] \f[I]chain\f[] \f[I]rule\-params\f[] .SH DESCRIPTION .PP Marks on packets can be matched by traffic shaping, routing, and firewall rules for controlling traffic. .RS .PP \f[B]Note\f[] Behaviour changed significantly in FireHOL v3 compared to earlier versions .PP There is also a \f[C]mark\f[] parameter which allows matching marks within individual rules (see firehol\-params(5)). .RE .PP FireHOL uses iptables \f[C]masks\f[] to break the single 32\-bit integer mark value into smaller groups and allows you to set and match them independently. The \f[C]markdef\f[] group definitions to set this up are found in \f[C]firehol\-defaults.conf\f[] .PP The \f[C]mark\f[] helper command sets values within the \f[C]usermark\f[] group. You can set \f[I]value\f[] between 0 (no mark) and \f[C]size\f[]\-1. The default size for \f[C]usermark\f[] is 128, so 127 is highest \f[I]value\f[] possible. The default \f[C]usermark\f[] types are \f[C]stateful\f[]+\f[C]permanent\f[], meaning the initial match will only be done on \f[C]NEW\f[] packets and the mark will be restored to all packets in the connection. .PP The \f[I]chain\f[] will be used to find traffic to mark. It can be any of the iptables(8) built in chains belonging to the \f[C]mangle\f[] table. The chain names are: INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING. The names are case\-sensitive. .PP The \f[I]rule\-params\f[] define a set of rule parameters to match the traffic that is to be marked within the chosen chain. See firehol\-params(5) for more details. .PP Any \f[C]mark\f[] commands must be declared before the first router or interface. .RS .PP \f[B]Note\f[] .PP If you want to do policy based routing based on iptables(8) marks, you will need to disable the Root Path Filtering on the interfaces involved (rp_filter in sysctl). .PP FireQOS will read the FireHOL mark definitions and set up suitable offsets and marks for the various groups. If you are using a different tool, you should look at the emitted firewall to determine the final masks and values to use. .RE .SH EXAMPLES .IP .nf \f[C] \ #\ mark\ with\ 1,\ packets\ sent\ by\ the\ local\ machine \ mark\ 1\ OUTPUT \ #\ mark\ with\ 2,\ packets\ routed\ by\ the\ local\ machine \ mark\ 2\ FORWARD \ #\ mark\ with\ 3,\ packets\ routed\ by\ the\ local\ machine,\ sent\ from \ #\ \ \ \ \ \ \ \ \ \ \ \ \ \ 192.0.2.2\ destined\ for\ port\ TCP/25\ of\ 198.51.100.1 \ mark\ 3\ FORWARD\ proto\ tcp\ dport\ 25\ dst\ 198.51.100.1\ src\ 192.0.2.2 \f[] .fi .SH SEE ALSO .IP \[bu] 2 firehol(1) \- FireHOL program .IP \[bu] 2 firehol.conf(5) \- FireHOL configuration .IP \[bu] 2 firehol\-params(5) \- optional rule parameters .IP \[bu] 2 firehol\-connmark(5) \- set a stateful mark from the connmark group .IP \[bu] 2 iptables(8) (http://ipset.netfilter.org/iptables.man.html) \- administration tool for IPv4 firewalls .IP \[bu] 2 ip6tables(8) (http://ipset.netfilter.org/ip6tables.man.html) \- administration tool for IPv6 firewalls .IP \[bu] 2 ip(8) \- show / manipulate routing, devices, policy routing and tunnels .IP \[bu] 2 FireHOL Website (http://firehol.org/) .IP \[bu] 2 Working With Marks Wiki Page (https://github.com/firehol/firehol/wiki/Working-with-MARKs) .IP \[bu] 2 FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf) .IP \[bu] 2 FireHOL Online Documentation (http://firehol.org/documentation/) .IP \[bu] 2 Linux Advanced Routing & Traffic Control HOWTO (http://lartc.org/howto/) .SH AUTHORS FireHOL Team.