
This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.

Usage:

   connmark
       This  module  matches  the netfilter mark field associated
       with a connection (which can be  set  using  the  CONNMARK
       target below).

       --mark value[/mask]
              Matches  packets  in  connections  with  the  given
              unsigned mark value (if a mask is  specified,  this
              is logically ANDed with the mark before the comparison).


   CONNMARK
       This  is  used  to set the netfilter mark value associated
       with the connection

       --set-mark mark
              Set connection mark

       --save-mark
              Set connection mark to the same as the one  on  the
              packet

       --restore-mark
              Set  the  netfilter  packet  mark  value to the one
              associated with the connection. This is only  valid
              in the mangle table.


The connbytes match is used to match many bytes a connection transfered.
The counter is limited to 0xffff0000, thus it can't overflow and also
can't measure more than 4GB.

The primary use is to detect long-lived downloads and mark them to be
scheduled using a lower priority band in traffic control.

The transfered bytes per connection can also be viewed through
/proc/net/ip_conntrack.

Usage:
[!] --connbytes FROM:[TO]

will match packet from a connection which transfered more than FROM and less
than TO bytes. if TO is omitted only FROM check is done. "!" is used to match
packets not falling in the range.

Example:

iptables .. -m connbytes --connbytes 10000:100000 ...

