How --set-mark option works on Netfilter (IPTABLES)?

iptables netfilter
14,214

The mark is a 32 bits integer value attached to a network packet. Some network parts interacting with it (see below) can do bitwise operations on this value, it can then be interpreted between one single 32 bits value up to a collection of 32 flags, or a mix of flags and smaller values, depending on how one chooses to organise its use (tc can't do this). Of course this mark exists only as long as it's handled by the Linux kernel. It's only purely virtual and internal, as it can have no existence on the wire. Depending on where's it's used, it may be called firewall mark, fwmark or simply mark.

Each network packet processed by the kernel, is handled by a structure called sk_buff, defined in linux/include/linux/skbuff.h. This structure includes various meta-data related to the packet when applicable, like IPsec information if any, related conntrack entry once looked up, ... and also its mark.

Various parts of the network stack can read this mark, change behaviour based on its value or (re)write it, eg:

  • tc,
  • the routing stack can have special rules set with ip rule (eg ip rule add fwmark 1 lookup 42), to alter its routing decisions with this fwmark (eg to use a routing table sending those packets to an other interface than default),
  • of course iptables,
  • its candidate successor nftables,

and a few other places...

The main goal of this mark is to have all these network parts interact with each other by using it as a kind of message. The Packet flow in Netfilter and General Networking can help see in what order those elements will receive handling of the packet and thus its mark.

There are other related marks beside fwmark:

  • connmark, which isn't stored with a packet's sk_buff, but in a conntrack entry tracking packet flows. Its connmark can of course be used by iptables with its connmark match and CONNMARK target, with an usage example there: Netfilter Connmark To Linux and beyond !. It allows the decision made based on one single packet to be memorized and then applied to all the packets of the same connection.
  • secmark and likewise its associated connsecmark which are intended to interact with Linux Security Modules such as SELinux.
Share:
14,214
ivanleoncz
Author by

ivanleoncz

I develop software based on Python for Backend services, mostly related with ETL pipelines for GBs of data, analyzing and delivering statistical data, storing in SQL and NoSQL databases, to REST APIs and Web Services based on Django and Flask, mainly deployed on AWS or GCP (Cloud Functions), creating automated tests and writing documentation. When needed, I support on administration and configuration of GNU/Linux based servers, providing Security, High Availability and Kernel configuration tuning for Web Servers, also configuring the necessary stack of components for delivering Web Services (Systemd, Gunicorn, Nginx, HA PROXY, Netfilter/IPTABLES). Through 10 years, I served News Media, Cloud/CDN, Educational, International Trade, US-based Health Care and Real Estate industries, and currently serving Startup accelerator Bridge for Billions. Board Member and Tech Speaker on XalapaCode community, and when I have free time, I write something on my blog, Diary of a Devman.

Updated on September 18, 2022

Comments

  • ivanleoncz
    ivanleoncz over 1 year

    On Netfilter, you have the option --set-mark for packets that pass through the mangle table.

    The majority of tutorials and examples over the Internet, say that this just adds a mark on the packet, like this, but there's no additional detail of what mark is set and where it resides on the packet:

    iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 80 -j MARK --set-mark 1

    My question is:

    • What kind of mark is set and exactly where in the packet this mark resides?
  • nelaaro
    nelaaro about 5 years
    Thank you for your wonderful explanation and important documentation of netfilter and its limitations this mark exists only as long as it's handled by the Linux kernel First place I found information about this limitation

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

forward packets from one interface to another interface using iptables
How is the IFB device positioned in the packet flow of the Linux kernel
How to match properly against an IP set of type 'hash:ip,port'?
URL Filtering with IP tables
Is iptables string matching still supported?
-o in iptables is for specifying the interface for OUTPUT, FORWARD, and POSTROUTING Correct?
How to list all network connections Centos 7 (Connection tracking)
Best way to filter/limit ARP packets on embedded Linux
How does iptable work with linux bridge?
What is the difference between NAT OUTPUT chain and NAT POSTROUTING chain?