| Florian Westphal | ccbf6b6 | 2013-05-06 21:07:38 +0200 | [diff] [blame] | 1 | Module matches or adds connlabels to a connection. |
| 2 | connlabels are similar to connmarks, except labels are bit-based; i.e. |
| 3 | all labels may be attached to a flow at the same time. |
| 4 | Up to 128 unique labels are currently supported. |
| 5 | .TP |
| 6 | [\fB!\fP] \fB\-\-label\fP \fBname\fP |
| 7 | matches if label \fBname\fP has been set on a connection. |
| 8 | Instead of a name (which will be translated to a number, see EXAMPLE below), |
| 9 | a number may be used instead. Using a number always overrides connlabel.conf. |
| 10 | .TP |
| 11 | \fB\-\-set\fP |
| 12 | if the label has not been set on the connection, set it. |
| 13 | Note that setting a label can fail. This is because the kernel allocates the |
| 14 | conntrack label storage area when the connection is created, and it only |
| 15 | reserves the amount of memory required by the ruleset that exists at |
| 16 | the time the connection is created. |
| 17 | In this case, the match will fail (or succeed, in case \fB\-\-label\fP |
| 18 | option was negated). |
| 19 | .PP |
| Florian Westphal | 51340f7 | 2013-07-15 16:35:08 +0200 | [diff] [blame] | 20 | This match depends on libnetfilter_conntrack 1.0.4 or later. |
| Florian Westphal | ccbf6b6 | 2013-05-06 21:07:38 +0200 | [diff] [blame] | 21 | Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuration file. |
| 22 | .PP |
| 23 | Example: |
| 24 | .IP |
| 25 | .nf |
| 26 | 0 eth0-in |
| 27 | 1 eth0-out |
| 28 | 2 ppp-in |
| 29 | 3 ppp-out |
| 30 | 4 bulk-traffic |
| 31 | 5 interactive |
| 32 | .fi |
| 33 | .PP |