.\" Automatically generated by Pandoc 3.1.3 .nh .\" .\" Define V font for inline verbatim, using C font in formats .\" that render this, and otherwise B font. .ie "\f[CB]x\f[]"x" \{\ . ftr V B . ftr VI BI . ftr VB B . ftr VBI BI .\} .el \{\ . ftr V CR . ftr VI CI . ftr VB CB . ftr VBI CBI .\} .TH "firehol-connmark" "5" "Built 30 Mar 2024" "FireHOL Reference" "3.1.7" .hy .SH NAME .PP firehol-connmark - set a stateful mark from the connmark group .SH SYNOPSIS .PP { connmark | connmark46 } \f[I]value\f[R] \f[I]chain\f[R] \f[I]rule-params\f[R] .PP connmark4 \f[I]value\f[R] \f[I]chain\f[R] \f[I]rule-params\f[R] .PP connmark6 \f[I]value\f[R] \f[I]chain\f[R] \f[I]rule-params\f[R] .SH DESCRIPTION .PP Marks on packets can be matched by traffic shaping, routing, and firewall rules for controlling traffic. .RS .PP \f[B]Note\f[R] Behaviour changed significantly in FireHOL v3 compared to earlier versions .RE .PP FireHOL uses iptables \f[V]masks\f[R] to break the single 32-bit integer mark value into smaller groups and allows you to set and match them independently. The \f[V]markdef\f[R] group definitions to set this up are found in \f[V]firehol-defaults.conf\f[R] .PP The \f[V]connmark\f[R] helper command sets values within the \f[V]connmark\f[R] group. You can set \f[I]value\f[R] between 0 (no mark) and \f[V]size\f[R]-1. The default size for \f[V]connmark\f[R] is 64, so 63 is highest \f[I]value\f[R] possible. The default \f[V]connmark\f[R] types are \f[V]stateful\f[R]+\f[V]permanent\f[R], meaning the initial match will only be done on \f[V]NEW\f[R] packets and the mark will be restored to all packets in the connection. .PP The \f[I]chain\f[R] will be used to find traffic to mark. It can be any of the iptables(8) built in chains belonging to the \f[V]mangle\f[R] table. The chain names are: INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING. The names are case-sensitive. .PP The \f[I]rule-params\f[R] define a set of rule parameters to match the traffic that is to be marked within the chosen chain. See firehol-params(5) for more details. .PP Any \f[V]connmark\f[R] commands must be declared before the first router or interface. .RS .PP \f[B]Note\f[R] .PP If you want to do policy based routing based on iptables(8) marks, you will need to disable the Root Path Filtering on the interfaces involved (rp_filter in sysctl). .PP FireQOS will read the FireHOL mark definitions and set up suitable offsets and marks for the various groups. If you are using a different tool, you should look at the emitted firewall to determine the final masks and values to use. .RE .SH EXAMPLES .IP .nf \f[C] # mark with 1, packets sent by the local machine connmark 1 OUTPUT # mark with 2, packets routed by the local machine connmark 2 FORWARD # mark with 3, packets routed by the local machine, sent from # 192.0.2.2 destined for port TCP/25 of 198.51.100.1 connmark 3 FORWARD proto tcp dport 25 dst 198.51.100.1 src 192.0.2.2 \f[R] .fi .SH SEE ALSO .IP \[bu] 2 firehol(1) - FireHOL program .IP \[bu] 2 firehol.conf(5) - FireHOL configuration .IP \[bu] 2 firehol-params(5) - optional rule parameters .IP \[bu] 2 [firehol-mark(5)][keyword-firehol-mark] - set a stateful mark from the usermark group .IP \[bu] 2 iptables(8) (http://ipset.netfilter.org/iptables.man.html) - administration tool for IPv4 firewalls .IP \[bu] 2 ip6tables(8) (http://ipset.netfilter.org/ip6tables.man.html) - administration tool for IPv6 firewalls .IP \[bu] 2 ip(8) - show / manipulate routing, devices, policy routing and tunnels .IP \[bu] 2 FireHOL Website (http://firehol.org/) .IP \[bu] 2 Working With Marks Wiki Page (https://github.com/firehol/firehol/wiki/Working-with-MARKs) .IP \[bu] 2 FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf) .IP \[bu] 2 FireHOL Online Documentation (http://firehol.org/documentation/) .IP \[bu] 2 Linux Advanced Routing & Traffic Control HOWTO (http://lartc.org/howto/) .SH AUTHORS FireHOL Team.