[SOLVED] Connections not marked after being dropped/accepted "forever"

[gustavo-iniguez-goya]

Connections that match a rule with Duration "always" should have the mark 0x18BA5, but at least with libnetfilter-queue 1.0.5 and kernel 5.9.x it doesn't seem to work. The mark is set correctly once we finish processing a packet https://github.com/evilsocket/opensnitch/blob/main/daemon/netfilter/queue.h#L78 (i.e.: the var ), but I don't see any connection marked, nor with conntrack -L, nor with iptables -t mangle -I POSTROUTING -m mark --mark 0x18BA5 -j LOG

Also the rule to drop all marked output connections has no hits iptables -L OUTPUT -v:

0 0 DROP all -- any any anywhere anywhere mark match 0x18ba5

If we drop connections when we see a SYN, the connection is not going to be established, so what's the point of dropping connections on the table filter, chain OUTPUT?

Actually, I don't know if this is a bug or a feature, because if we dropped connections marked to be dropped (in -t mangle PREROUTING or -t mangle OUTPUT), then we wouldn't intercept it, thus we wouldn't know if a connection has been dropped or not.

[themighty1]

I can't think of a reason why not drop it immediately in nfqueue but mark it to be dropped in netfilter.

Seems like the author used it to prototype/debug and then forgot to remove it.