| |
| |
| |
|
Comments:
<0> Hi all
<0> Please can someone check some coding for me at http://pastebin.com/621655 wr are trying to set up a second routing table and direct the traffic from the second gateway back to the gateway
<0> hi all
<1> hi
<1> re
<1> is there a way to match each nth-packet per connection?
<1> i've seen that conntrack already keeps per-connection-counters ...
<1> afaik ipt_nth is global for all packet-coounters
<2> yeah, I think you might have to write your own module or use libipq. What are you trying to do?
<1> I have set up rules that mark tcp-connections
<1> basically it's:
<1> -m state --state NEW -j mark_ftpmirror
<1> in which chain I do set a CONNMARK based upon the source-address
<1> intention is to "re-mark" established connections, in case routes might change
<1> so basically I thought about -m connnth 100000
<1> and then re-set the CONNMARK
<1> for long-living tcp-connections
<2> so, you want to change the mark after a certain amount of traffic? could you use connlimit?
<1> well, not really
<2> hmm, or connbyts
<1> connlimit or connbyts - but always with an n-th-match
<1> like "once every XXX packates feed the next packet through the marking-chain again"
<1> to see if the mark is still okay, or if the rules in that chain might have changed meanwhile and now a different marking is to be applied
<2> couldn't you just match on the old mark for all connections you want to change the mark on?
<1> well no
<1> I have marks 10, 20, 30
<1> and a certain source-address might move from 10 to 20 or so
<1> I know when I update the rule-chain with a script
<1> so my other idea was to feed all unmarked packets through the chain
<1> but for that I would need to be able to reset all connmarks with a commandline-tool
<1> and afaik its not possible with an echo into /proc/net/ip_conntrack, is it?
<1> if I could echo "* mark=0" > /proc/net/ip_conntrack
<1> that would be fine as well
<2> I'm wondering if you can use the conntrack userspace tool to do that
<1> is there a userspace-tool?
<2> yes, netfilter.org
<2> only works in 2.6.14+
<1> I have a 2.6.15 here
<1> hmm
<1> http://www.netfilter.org/projects/conntrack/index.html
<1> reading through the features I wonder if "modifying marks" is within it's scope
<2> hmm, but I don't see how you could add a mark
<1> if I could, that would be the ideal solution
<1> I'm afk for 5min - thank you already daniel
<1> cu l8r
<1> back
<1> daneldg: I'll try to build the userspace-tool here, first
<1> danieldg: and take a look if it can be extended to at least zero the marks easily - let's hope
<2> there is an option to set a mark, not mentioned in the manpage
<2> --mark or -m
<2> and there's a -U to update a conntrack
<1> *hmpf* does not compile on a stock FC4
<1> seems I miss the netlink-libs or something
<2> you got nfntetlink and libnetfilter_conntrack?
<1> I'll take a closer look
<2> you need all three, in that order
<1> I'll take a look
<1> thank you
<3> re
<1> re
<1> danieldg: libs work fine now
<1> danieldg: do you know an example-syntax of conntrack? I expected conntrack -U --mark 0 to work
<2> I think you have to iterate over all the conntracks
<1> hmm
<1> there is -i to specify the ID
<1> but that does not seem to be enough to identify the conntrack
<2> try something like -s 12.201.221.102 -d 64.113.76.55 -p tcp --orig-port-src 12345 --orig-port-dst 443
<1> I'll have a closer look
<1> thank you
Return to
#iptables
or
Go to some related
logs:
VLAN utilities not installed
Found an entry in the 'db' table with empty database name; Skipped +fix
host nslookup etch
#ubuntu
xpdvd_ff7
#php
#physics
#linux
gcc +undefined reference +sqllite
#perl
|
|