Necessity of setting mark in Linuxsocket

The necessity of setting mark in Linuxsocket Linux Netfilter hook points may cause some strange problems. for example, the packets sent from the local machine cannot use the mark-based policy routing, this is because mark is generally carried out in Netfilter, and the Linux route is located before the OUTPUT hook point ,... linux socket sets mark necessity the location of Linux Netfilter hook points may cause some strange problems. for example, the packets sent from the local machine cannot use the mark-based policy routing, this is because mark is generally carried out in Netfilter, and the Linux route is located before the OUTPUT hook point. Therefore, this is a sequential inversion problem. how can this problem be solved? The mark can only be set before the route, but we know that for external incoming packets, the mark is performed in PREROUTING. Therefore, policy routing is good for packets that access the outside, for packets sent from the local machine, the routing can only be at the socket layer. why cannot it be done at the transport layer? Because the transport layer is complex, and many protocols directly go to the IP layer, such as OSPF, many transport layer protocols also need routing searches, for example, TCP needs to find the route when connecting to determine the source IP address (if there is no bind ).
Fortunately, Linux socket supports an option such as SO_MARK, which can be easily used: [plain] mark = 100; setsockopt (client_socket, SOL_SOCKET, SO_MARK, & mark, sizeof (mark ));
1. impact on TRACK www.2cto.com although the raw table is the first table where data packets pass through, the use of SO_MARK can still be used before the entire raw table takes effect, so that all the packages sent by A specific socket are NOTRACK: iptables-t raw-a output-m mark -- mark 100-j NOTRACK
If this is not the case, you need: iptables-t raw-a output [-s xxxx] [-d yyyy] [-p tcp | udp [-- sport X] [-- dport Y]... -j MARK -- set-mark 100... [A lot of similar rules as above] iptables-t raw-a output-m mark -- mark 100-j NOTRACK is what the raw table on PREROUTING needs to do. We are proud that socket is the world of applications on the OUTPUT, while PREROUTING is the world of kernels and drivers. The latter is too messy and inconvenient to do more things, the former is beyond our control. 2. the biggest beneficiary of SO_MARK's impact on policy routing is policy routing. if we use this route: ip rule add fwmark 100 table abc www.2cto.com ip route add 1.2.3.4/32 via 192.168.0.254 table abcip route del 1.2.3.4/32 table main
If SO_MARK is not set, all traffic destined for 1.2.3.4 will be discarded because there is no route. because no mark is added before the route entry into PREROUTING, therefore, it does not match the route in the abc policy table, and the corresponding route in the main table has been deleted... however, if we add [plain] mark = 100; setsockopt (client_socket, SOL_SOCKET, SO_MARK, & mark, sizeof (mark) to the application, the access will be normal, because this mark already exists when searching for a route. Author dog250