Module matches or adds connlabels to a connection.

connlabels are similar to connmarks, except labels are bit-based; i.e.

all labels may be attached to a flow at the same time.

Up to 128 unique labels are currently supported.

.TP

[\fB!\fP] \fB\-\-label\fP \fBname\fP

matches if label \fBname\fP has been set on a connection.

Instead of a name (which will be translated to a number, see EXAMPLE below),

a number may be used instead.  Using a number always overrides connlabel.conf.

.TP

\fB\-\-set\fP

if the label has not been set on the connection, set it.

Note that setting a label can fail.  This is because the kernel allocates the

conntrack label storage area when the connection is created, and it only

reserves the amount of memory required by the ruleset that exists at

the time the connection is created.

In this case, the match will fail (or succeed, in case \fB\-\-label\fP

option was negated).

.PP

This match depends on libnetfilter_conntrack 1.0.4 or later.

Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration file.

.PP

Example:

.IP

.nf

0	eth0-in

1	eth0-out

2	ppp-in

3	ppp-out

4	bulk-traffic

5	interactive

.fi

.PP