How to debug nfmarking

All of lore.kernel.org
 help / color / mirror / Atom feed

* How to debug nfmarking
@ 2004-11-15 17:45 Eduardo Fernández
  2004-11-15 18:03 ` Jason Opperisano
  2004-11-15 20:44 ` Eric Leblond
  0 siblings, 2 replies; 3+ messages in thread
From: Eduardo Fernández @ 2004-11-15 17:45 UTC (permalink / raw)
  To: netfilter

Hi all,

i'm trying to debug packet marking like this:

iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
(...)

But I don't know how to check if the packets are really being marked.
ip_conntrack shows all packets with mark=0, and that's not possible.
I've tried logging with netfilter but I don't know which option shows
the nfmark in the log. Any ideas?

Thank you very much in advance.

Eduardo

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: How to debug nfmarking
  2004-11-15 17:45 How to debug nfmarking Eduardo Fernández
@ 2004-11-15 18:03 ` Jason Opperisano
  2004-11-15 20:44 ` Eric Leblond
  1 sibling, 0 replies; 3+ messages in thread
From: Jason Opperisano @ 2004-11-15 18:03 UTC (permalink / raw)
  To: netfilter

On Mon, 2004-11-15 at 12:45, Eduardo FernÃ¡ndez wrote:
> Hi all,
> 
> i'm trying to debug packet marking like this:
> 
> iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
> (...)
> 
> But I don't know how to check if the packets are really being marked.
> ip_conntrack shows all packets with mark=0, and that's not possible.
> I've tried logging with netfilter but I don't know which option shows
> the nfmark in the log. Any ideas?
> 
> Thank you very much in advance.
> 
> Eduardo

add a log rule that matches on the mark:

  iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 1
  iptables -t mangle -A PREROUTING -m mark --mark 1 \
    -j LOG --log-prefix "FW MARK 1: "

-j

--
"Beer. Now there's a temporary solution."
	--The Simpsons



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: How to debug nfmarking
  2004-11-15 17:45 How to debug nfmarking Eduardo Fernández
  2004-11-15 18:03 ` Jason Opperisano
@ 2004-11-15 20:44 ` Eric Leblond
  1 sibling, 0 replies; 3+ messages in thread
From: Eric Leblond @ 2004-11-15 20:44 UTC (permalink / raw)
  To: netfilter

On Mon, 2004-11-15 at 18:45 +0100, Eduardo Fernández wrote:
> Hi all,
> 
> i'm trying to debug packet marking like this:
> 
> iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
> (...)
> But I don't know how to check if the packets are really being marked.
> ip_conntrack shows all packets with mark=0, and that's not possible.

yes, you need to explicitly save mark with CONNMARK to have the mark
being propagated through the connection.
See http://home.regit.org/connmark.html for details.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-11-15 20:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-15 17:45 How to debug nfmarking Eduardo Fernández
2004-11-15 18:03 ` Jason Opperisano
2004-11-15 20:44 ` Eric Leblond

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.