* Re: [LARTC] CONNMARK problem
2004-09-24 17:22 [LARTC] CONNMARK problem cvok
@ 2004-09-24 17:28 ` Tomasz Chilinski
2004-09-24 19:02 ` zytek
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Tomasz Chilinski @ 2004-09-24 17:28 UTC (permalink / raw)
To: lartc
On Fri, 24 Sep 2004 20:21:22 +0200, cvok wrote
> Hello everybody.
Hello.
> i think when packet is passing trough my POSTROUTING in mangle table
> it can't match rule 2 or 3, but in the real life it is a little bit different
>
> iptables -t mangle -L PREROUTING -v
> shows following:
> Chain PREROUTING (policy ACCEPT 16M packets, 4534M bytes)
> pkts bytes target prot opt in out source destination
> 159K 53M CONNMARK all -- any any anywhere
> anywhere CONNMARK set 0x0
> 1090 112K all --
> any any anywhere anywhere CONNMARK
> match 0x5
> 22 1843 all -- any any anywhere
> anywhere CONNMARK match 0x6
>
> i don't know if it is correct, so please tell me if it is normal.
It's normal. CONNMARK target doesn't mean stopping traversing the chain.
> Matis
Bests,
Tomasz Chilinski
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] CONNMARK problem
2004-09-24 17:22 [LARTC] CONNMARK problem cvok
2004-09-24 17:28 ` Tomasz Chilinski
@ 2004-09-24 19:02 ` zytek
2005-01-08 13:02 ` Leandro Travaglia
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: zytek @ 2004-09-24 19:02 UTC (permalink / raw)
To: lartc
Dnia pi±tek 24 wrzesieñ 2004 19:28, Tomasz Chilinski napisa³:
> On Fri, 24 Sep 2004 20:21:22 +0200, cvok wrote
>
> > Hello everybody.
>
> Hello.
>
> > i think when packet is passing trough my POSTROUTING in mangle table
> > it can't match rule 2 or 3, but in the real life it is a little bit
> > different
> >
> > iptables -t mangle -L PREROUTING -v
> > shows following:
> > Chain PREROUTING (policy ACCEPT 16M packets, 4534M bytes)
> > pkts bytes target prot opt in out source destination
> > 159K 53M CONNMARK all -- any any anywhere
> > anywhere CONNMARK set 0x0
> > 1090 112K all --
> > any any anywhere anywhere CONNMARK
> > match 0x5
> > 22 1843 all -- any any anywhere
> > anywhere CONNMARK match 0x6
> >
> > i don't know if it is correct, so please tell me if it is normal.
>
> It's normal. CONNMARK target doesn't mean stopping traversing the chain.
You can match packet againt and use -j RETURN so it would "escape" from
current chain.
(at least i think so ;> )
--
.: Jakub G³azik (zytek)
.: email: zytek@ostrow-wlkp.net
.: JID: zytek@azazel.ostrow-wlkp.net
.: http://www.misiaj.sie.pl [obsolete]
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* [LARTC] CONNMARK problem
2004-09-24 17:22 [LARTC] CONNMARK problem cvok
2004-09-24 17:28 ` Tomasz Chilinski
2004-09-24 19:02 ` zytek
@ 2005-01-08 13:02 ` Leandro Travaglia
2005-01-09 11:53 ` Leandro Travaglia
2005-01-10 2:25 ` Vincent
4 siblings, 0 replies; 6+ messages in thread
From: Leandro Travaglia @ 2005-01-08 13:02 UTC (permalink / raw)
To: lartc
Hi all,
I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK
When i run:
# iptables -v -t mangle -F
# iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
CONNMARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 CONNMARK restore
iptables: No chain/target/match by that name
Why is that happening??
The command:
# iptables -v -j CONNMARK -h
returns:
CONNMARK target v1.2.10 options:
--set-mark value[/mask] Set conntrack mark value
--save-mark [--mask mask] Save the packet nfmark in the connection
--restore-mark [--mask mask] Restore saved nfmark value
So everything seens fine to me........
Thanks...
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 6/1/2005
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] CONNMARK problem
2004-09-24 17:22 [LARTC] CONNMARK problem cvok
` (2 preceding siblings ...)
2005-01-08 13:02 ` Leandro Travaglia
@ 2005-01-09 11:53 ` Leandro Travaglia
2005-01-10 2:25 ` Vincent
4 siblings, 0 replies; 6+ messages in thread
From: Leandro Travaglia @ 2005-01-09 11:53 UTC (permalink / raw)
To: lartc
I see... I'll do this.
But..... Is CONNMARK supported in newer versions of the Kernel? Wich one?
Regards,
LEANDRO TRAVAGLIA
Nguyen Dinh Nam wrote:
> it's because your kernel doesn't support CONNMARK, apply patch-o-matic
> then recompile your kernel, then it'll work.
>
> Leandro Travaglia wrote:
>
>> Hi all,
>>
>> I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK
>>
>> When i run:
>> # iptables -v -t mangle -F
>> # iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
>> CONNMARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 CONNMARK
>> restore
>> iptables: No chain/target/match by that name
>>
>> Why is that happening??
>>
>> The command:
>> # iptables -v -j CONNMARK -h
>> returns:
>> CONNMARK target v1.2.10 options:
>> --set-mark value[/mask] Set conntrack mark value
>> --save-mark [--mask mask] Save the packet nfmark in the connection
>> --restore-mark [--mask mask] Restore saved nfmark value
>>
>> So everything seens fine to me........
>>
>> Thanks...
>>
>>
>
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* RE: [LARTC] CONNMARK problem
2004-09-24 17:22 [LARTC] CONNMARK problem cvok
` (3 preceding siblings ...)
2005-01-09 11:53 ` Leandro Travaglia
@ 2005-01-10 2:25 ` Vincent
4 siblings, 0 replies; 6+ messages in thread
From: Vincent @ 2005-01-10 2:25 UTC (permalink / raw)
To: lartc
> -----Original Message-----
> From: lartc-admin@mailman.ds9a.nl
> [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Leandro Travaglia
> Sent: Saturday, January 08, 2005 9:03 PM
> To: LARTC
> Subject: [LARTC] CONNMARK problem
>
>
> Hi all,
>
> I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK
>
> When i run:
> # iptables -v -t mangle -F
> # iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK
> --restore-mark CONNMARK tcp opt -- in * out * 0.0.0.0/0 ->
> 0.0.0.0/0 CONNMARK restore
> iptables: No chain/target/match by that name
Make sure that CONNMARK target is vaild in mangle table > PREROUTING
chain.
Or you can try to inspect the rule in another table/chain
Another possible is the target format. You can try to use a simple
target to verify if the target format is correct or not.
Vincent
>
> Why is that happening??
>
> The command:
> # iptables -v -j CONNMARK -h
> returns:
> CONNMARK target v1.2.10 options:
> --set-mark value[/mask] Set conntrack mark value
> --save-mark [--mask mask] Save the packet nfmark in the
> connection
> --restore-mark [--mask mask] Restore saved nfmark value
>
> So everything seens fine to me........
>
> Thanks...
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 6/1/2005
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread