|
Packit Service |
fa126c |
Like MARK, i.e. set the fwmark, but the mark is calculated from hashing
|
|
Packit Service |
fa126c |
packet selector at choice. You have also to specify the mark range and,
|
|
Packit Service |
fa126c |
optionally, the offset to start from. ICMP error messages are inspected
|
|
Packit Service |
fa126c |
and used to calculate the hashing.
|
|
Packit Service |
fa126c |
.PP
|
|
Packit Service |
fa126c |
Existing options are:
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-tuple\fP tuple\fI\fP
|
|
Packit Service |
fa126c |
Possible tuple members are:
|
|
Packit Service |
fa126c |
.B src
|
|
Packit Service |
fa126c |
meaning source address (IPv4, IPv6 address),
|
|
Packit Service |
fa126c |
.B dst
|
|
Packit Service |
fa126c |
meaning destination address (IPv4, IPv6 address),
|
|
Packit Service |
fa126c |
.B sport
|
|
Packit Service |
fa126c |
meaning source port (TCP, UDP, UDPlite, SCTP, DCCP),
|
|
Packit Service |
fa126c |
.B dport
|
|
Packit Service |
fa126c |
meaning destination port (TCP, UDP, UDPlite, SCTP, DCCP),
|
|
Packit Service |
fa126c |
.B spi
|
|
Packit Service |
fa126c |
meaning Security Parameter Index (AH, ESP), and
|
|
Packit Service |
fa126c |
.B ct
|
|
Packit Service |
fa126c |
meaning the usage of the conntrack tuple instead of the packet selectors.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-mod\fP \fIvalue (must be > 0)\fP
|
|
Packit Service |
fa126c |
Modulus for hash calculation (to limit the range of possible marks)
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-offset\fP \fIvalue\fP
|
|
Packit Service |
fa126c |
Offset to start marks from.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
For advanced usage, instead of using \-\-hmark\-tuple, you can specify custom
|
|
Packit Service |
fa126c |
prefixes and masks:
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-src\-prefix\fP \fIcidr\fP
|
|
Packit Service |
fa126c |
The source address mask in CIDR notation.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-dst\-prefix\fP \fIcidr\fP
|
|
Packit Service |
fa126c |
The destination address mask in CIDR notation.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-sport\-mask\fP \fIvalue\fP
|
|
Packit Service |
fa126c |
A 16 bit source port mask in hexadecimal.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-dport\-mask\fP \fIvalue\fP
|
|
Packit Service |
fa126c |
A 16 bit destination port mask in hexadecimal.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-spi\-mask\fP \fIvalue\fP
|
|
Packit Service |
fa126c |
A 32 bit field with spi mask.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-proto\-mask\fP \fIvalue\fP
|
|
Packit Service |
fa126c |
An 8 bit field with layer 4 protocol number.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-hmark\-rnd\fP \fIvalue\fP
|
|
Packit Service |
fa126c |
A 32 bit random custom value to feed hash calculation.
|
|
Packit Service |
fa126c |
.PP
|
|
Packit Service |
fa126c |
\fIExamples:\fP
|
|
Packit Service |
fa126c |
.PP
|
|
Packit Service |
fa126c |
iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
|
|
Packit Service |
fa126c |
\-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
|
|
Packit Service |
fa126c |
\-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
|
|
Packit Service |
fa126c |
.PP
|
|
Packit Service |
fa126c |
iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
|
|
Packit Service |
fa126c |
\-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
|