Blame extensions/libxt_connlabel.man
|
Packit |
7b22a4 |
Module matches or adds connlabels to a connection.
|
|
Packit |
7b22a4 |
connlabels are similar to connmarks, except labels are bit-based; i.e.
|
|
Packit |
7b22a4 |
all labels may be attached to a flow at the same time.
|
|
Packit |
7b22a4 |
Up to 128 unique labels are currently supported.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
[\fB!\fP] \fB\-\-label\fP \fBname\fP
|
|
Packit |
7b22a4 |
matches if label \fBname\fP has been set on a connection.
|
|
Packit |
7b22a4 |
Instead of a name (which will be translated to a number, see EXAMPLE below),
|
|
Packit |
7b22a4 |
a number may be used instead. Using a number always overrides connlabel.conf.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-set\fP
|
|
Packit |
7b22a4 |
if the label has not been set on the connection, set it.
|
|
Packit |
7b22a4 |
Note that setting a label can fail. This is because the kernel allocates the
|
|
Packit |
7b22a4 |
conntrack label storage area when the connection is created, and it only
|
|
Packit |
7b22a4 |
reserves the amount of memory required by the ruleset that exists at
|
|
Packit |
7b22a4 |
the time the connection is created.
|
|
Packit |
7b22a4 |
In this case, the match will fail (or succeed, in case \fB\-\-label\fP
|
|
Packit |
7b22a4 |
option was negated).
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
This match depends on libnetfilter_conntrack 1.0.4 or later.
|
|
Packit |
7b22a4 |
Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration file.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Example:
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
.nf
|
|
Packit |
7b22a4 |
0 eth0-in
|
|
Packit |
7b22a4 |
1 eth0-out
|
|
Packit |
7b22a4 |
2 ppp-in
|
|
Packit |
7b22a4 |
3 ppp-out
|
|
Packit |
7b22a4 |
4 bulk-traffic
|
|
Packit |
7b22a4 |
5 interactive
|
|
Packit |
7b22a4 |
.fi
|
|
Packit |
7b22a4 |
.PP
|