The CONNSECMARK target sets a SELinux security context mark to or from a packet mark. For further information on SELinux, read more at the Security-Enhanced Linux homepage. The target is only valid in the mangle table and is used together with the SECMARK target, where the SECMARK target is used to set the original mark, and then the CONNSECMARK is used to set the mark on the whole connection.

SELinux is beyond the scope of this document, but basically it is an addition of Mandatory Access Control to Linux. This is more finegrained than the original security systems of most Linux and Unix security controls. Each object can have security attributes, or security context, connected to it, and these attributes are then matched to eachother before allowing or denying a specific task to be performed. This target will allow a security context to be set on a connection.

Table 11-4. CONNSECMARK target options

Exampleiptables -t mangle -A PREROUTING -p tcp --dport 80 -j CONNSECMARK --save
ExplanationSave the security context mark from the packet to the connection if the connection is not marked since before.
Exampleiptables -t mangle -A PREROUTING -p tcp --dport 80 -j CONNSECMARK --restore
ExplanationIf the packet has no security context mark set on it, the --restore option will set the security context mark associated with the connection on the packet.