Firewall marking questions

  1. Will connmarks get copied to packets automatically?

  2. Can I match connmarks directly in nftables?

  3. Can I create routing rules that are based on connmarks?

  4. If none of the above questions have positive answer, is restoring connmarks cheaper than marking every packet, especially when doing IP set filtering? My assumption is yes.

  1. at mangle+ (not raw)
  2. see above
  3. you need to transport connmark to meta mark to be consumed by routing table
  4. connmarks are instantly restored once packet is matched to ct state at prerouting+mangle, any kind of sets, is associative array, similar to one backing conntrack, it is same unless you measure opposite.

If you show unclear corners of your (conn-)mark journey i might be able to fix them up.

