~cyphermox/ubuntu/precise/dnsmasq/dbus

« back to all changes in this revision

Viewing changes to contrib/conntrack/README

Committer: Package Import Robot
Author(s): Simon Kelley
Date: 2011-09-15 16:33:23 UTC
mfrom: (12.1.11 sid)
Revision ID: package-import@ubuntu.com-20110915163323-cf1q0y1t6r3xyjkp

Tags: 2.58-3

http://bugs.debian.org/641717

http://bugs.debian.org/640095

* Fix resolvconf script location. (closes: #641717)
* Update systemd service file. (closes: #640095)

files added:
.new

contrib/conntrack

contrib/conntrack/README

contrib/systemd

contrib/systemd/README

contrib/systemd/dnsmasq.service

debian/dbus.conf

debian/resolvconf-package

debian/systemd.service

src/conntrack.c

files modified:
CHANGELOG

Makefile

bld/Android.mk

contrib/wrt/dhcp_release.c

debian/changelog

debian/control

debian/default

debian/readme

debian/resolvconf

debian/rules

dnsmasq.conf.example

man/dnsmasq.8

man/fr/dnsmasq.8

po/de.po

po/es.po

po/fi.po

po/fr.po

po/id.po

po/it.po

po/no.po

po/pl.po

po/pt_BR.po

po/ro.po

setup.html

src/bpf.c

src/cache.c

src/config.h

src/dhcp.c

src/dns_protocol.h

src/dnsmasq.c

src/dnsmasq.h

src/forward.c

src/lease.c

src/log.c

src/netlink.c

src/network.c

src/option.c

src/rfc1035.c

src/rfc2131.c

src/tftp.c

src/util.c

Show diffs side-by-side

added added

removed removed

contrib/conntrack/README

Linux iptables includes that ability to mark individual network packets

with a "firewall mark". Additionally there is a component called

"conntrack" which tries to string sequences of related packets together

into a "connection" (it even relates sequences of UDP and ICMP packets).

There is a related mark for a connection called a "connection mark".

Marks can be copied freely between the firewall and connection marks

Using these two features it become possible to tag all related traffic

in arbitrary ways, eg authenticated users, traffic from a particular IP,

port, etc. Unfortunately any kind of "proxy" breaks this relationship

because network packets go in one side of the proxy and a completely new

connection comes out of the other side. However, sometimes, we want to

maintain that relationship through the proxy and continue the connection

mark on packets upstream of our proxy

DNSMasq includes such a feature enabled by the --conntrack

option. This allows, for example, using iptables to mark traffic from

a particular IP, and that mark to be persisted to requests made *by*

DNSMasq. Such a feature could be useful for bandwidth accounting,

captive portals and the like. Note a similar feature has been

implemented in Squid 2.2

As an example consider the following iptables rules:

1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137

-j MARK --set-mark 137

3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark

1-3) are all applied to the PREROUTING table and affect all packets

entering the firewall.

1) copies any existing connection mark into the firewall mark. 2) Checks

the packet not already marked and if not applies an arbitrary mark based

on IP address. 3) Saves the firewall mark back to the connection mark

(which will persist it across related packets)

4) is applied to the OUTPUT table, which is where we first see packets

generated locally. DNSMasq will have already copied the firewall mark

from the request, across to the new packet, and so all that remains is

for iptables to copy it to the connection mark so it's persisted across

packets.

Note: iptables can be quite confusing to the beginner. The following

diagram is extremely helpful in understanding the flows

http://linux-ip.net/nf/nfk-traversal.png

Additionally the following URL contains a useful "starting guide" on

linux connection tracking/marking

http://home.regit.org/netfilter-en/netfilter-connmark/

Older »