connmark - Linux


connmark is a command-line utility used to manipulate connection marks (connmarks), which are metadata tags that can be attached to network packets for identification and tracking purposes. It allows system administrators to mark packets based on various criteria and perform filtering operations based on those marks.


connmark [options] <action> <flags>


  • <action>: Specify the desired action to perform on connmarks. Common actions include:

    • add: Adds a new connmark to a packet.
    • delete: Removes an existing connmark from a packet.
    • get: Retrieves the current connmark value for a packet.
    • modify: Modifies an existing connmark value.
  • <flags>: Specify additional parameters to control the behavior of the action.


  • -c, –connmark: Set the connmark value using <value>.
  • -d, –dev: Specify the network interface on which to operate. Default: all interfaces.
  • -f, –family: Limit operation to a specific address family (IPv4 or IPv6).
  • -m, –mask: Set the mask value for comparison and modification operations.
  • -P, –proto: Filter based on IP protocol (e.g., ‘tcp’, ‘udp’).
  • -p, –pid: Filter packets by process ID (PID) of the originator.
  • -s, –src: Filter packets by source IP address.
  • -t, –timestamp: Filter packets by timestamp.


Add a connmark to all packets from a specific IP address:

connmark add -s -c 0x1234

Remove a connmark from packets with a mask of 0x00FF:

connmark delete -m 0x00FF

Filter packets based on a specific connmark value:

tc filter add dev eth0 ingress protocol all pref 1 handle 1 fw classid 1:1 match u32 connmark 0x1234 0xffffffff action pass

Example script to mark packets from a specific process:



# Add a connmark to packets from the target process
connmark add -p $TARGET_PID -c 0xABCD

# Filter packets with the connmark in a firewall rule
iptables -A INPUT -m connmark --mark 0xABCD -j ACCEPT

Common Issues

  • Invalid connmark value: Ensure that the specified connmark value is a valid 32-bit integer.
  • Permission denied: Make sure you have root privileges to modify connmarks.
  • No matching packets: Verify that the specified filter criteria match actual packets in the system.


connmark can be integrated with other network management tools, such as:

  • tc: Use connmark to mark packets and configure traffic control rules based on those marks.
  • iptables: Filter packets in a firewall based on their connmarks.
  • nftables: Implement advanced packet filtering and marking rules using Netfilter tables.

Related Commands

  • tc
  • iptables
  • nftables
  • netfilter