Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Working with MARKs
Clone this wiki locally
Working with MARKs
MARKs allow marking traffic with an ID, so that the marked packets will carry a label or tag.
Once packets have been marked, the marking can be used to take decisions based on it:
- Allow or deny access (in firehol)
- classify packets for traffic shaping (in fireqos)
- take routing decisions (in link-balancer)
Packets can only be marked with the
mark firehol helper. Once the packets are marked, all tools provide a common set of optional rule parameters or match statements to make make decisions based on these marks.
The kernel supports only one mark per packet. Just one mark.
It allows however a mask to be given for each operation on this mark.
Using this masking mechanism, all FireHOL tools allow multiple MARKs to be set on each packet. So, a packet can have mark A for packet filtering, mark B for traffic shaping, mark C for routing and mark D for other special purposes.
The way this is implemented in FireHOL tools, marks A, B, C, D are completely isolated and independent. Each one can have its own value that does not interfere with the others in any way.
Furthermore, FireHOL tools allow you to customize these marks any way you like. You can add your mark types and configure their options.
What are these options:
Each mark type has a minimum and a maximum value.
Although MARKs are 32 bit numbers (0 to 4294967295), when we bitmask them we actually use a few of these bits for each mark type. We allocate a certain number of bits dedicated to each mark type.
For example, for our 4 mark types A, B, C, D we could use 8 bits for each. This means each mark type will get a value from 0 to 255 and all 32 bits will be used. Or we could use 8 bits for A, B (values 0 - 255) and 4 bits for C and D (values 0 - 15). Or 10 bits for A (values 0 - 1023), 6 bits for B (values 0 - 63), 5 bits for C (values 0 - 31) and just 1 bit for D (values 0 - 1).
When you define mark types in FireHOL you don't need to care about the bits used. You just say the number of values a mark type should have and FireHOL will make all the calculations. If you overflow the 32 bits, FireHOL will give you an error. The only thing to remember is that the possible values of each mark type should be a power of 2 (2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, etc.)
Each mark can be configured as temporary or permanent
permanent saves this mark type to the connection tracker (CONNMARK), so that all packets related to the marked one, will automatically get the mark.
temporary does not save this mark type to the connection tracker.
Each mark can be configured to be stateless or stateful
This option controls which packets get marked by the
stateless will simply mark the all packets the optional rule parameters of the
stateful will only mark the NEW packets of each connection that is matched by the
markhelper optional rule parameters.
stateful/stateless and permanent/temporary interact with each other. We will discuss this in detail at Defining Mark Options.
There are also a few shortcuts:
- default means permanent stateful
- classic means temporary stateless
How to Configure Marks
You can add
markdef lines at the top of
Alternatively you can edit
This is an abstract of the default configuration:
# clear the marks markdef clear # define the default marks markdef connmark 64 markdef usermark 128
The mark types
usermark should always be defined. Of course you can adapt their max values to your needs.
You can also add more mark types, for example appending the following will add a few more marks:
markdef qos 16 markdef ipsec 2 classic
How to match packets with specific marks
Defining Mark Options
There are 4 possible combinations for the options:
permanent stateful marks, or 'default'
This is the default.
stateful makes the FireHOL
mark helper mark only the NEW packets of each connection and permanent makes the kernel restore this mark for every packet that is part of the same connection or related to the same connection.
what to mark at the helper:
You should use the 'mark' helper to just mark the first packet of a request. All replies and (related connections) will automatically get the same mark.
This is the most efficient and simple mark, this is why it is the default.
markdef qos 16 default ... # set the qos mark 1 on all packets sent from the local machine to an smtp server # their replies will be marked automatically custommark qos 1 OUTPUT dport 25
temporary stateless marks, or 'classic'
This is the 'classic' mark we see in iptables MARK examples all over the net.
temporary means never restore indirectly this mark for any packet and stateless means that only what the
mark helper matches will get the mark.
what to mark at the helper:
You should use the 'mark' helper to mark the traffic you want to have marked. Nothing else will be marked.
So if you just want to port to FireHOL something you found on the net, you will most probably need this kind of mark.
markdef qos 2 classic ... # set the qos mark 1 on all packets sent from the local machine to an smtp server # its replies will not be marked custommark qos 1 OUTPUT dport 25
temporary stateful marks
Using these mark options, only the NEW packets of each connection will be marked, that is the first request packet. No other packets will have the mark set.
markdef test 2 temporary stateful