Strange netfilter/iproute behav.

Strange netfilter/iproute behav.

[Richard Mueller]

Hello netfilter developers,

Some strange things are happening, when I try to use routing decisions
based on fwmark.

A short dump should explain it better than I can do with my bad english
skills ;) :

[DUMP ON]
host:~# ip rule add fwmark 19 lookup inet
host:~# iptables -t mangle -F
host:~# iptables -t mangle -A OUTPUT -j MARK --set-mark 19
host:~# ip route flush cache
host:~# ping www.heise.de # <- Should work because a defgw is set inet
PING www.heise.de (193.99.144.71): 56 data bytes

--- www.heise.de ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
host:~# ip rule del fwmark 19 lookup inet
host:~# iptables -t mangle -F
host:~#
host:~# ip rule add fwmark 1 lookup inet
host:~# iptables -t mangle -A OUTPUT -j MARK --set-mark 1
host:~# ip route flush cache
host:~# ping www.heise.de  # <- Works as fwmark 19 should do
PING www.heise.de (193.99.144.71): 56 data bytes
64 bytes from 193.99.144.71: icmp_seq=0 ttl=243 time=5.2 ms

--- www.heise.de ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 5.2/5.2/5.2 ms
host:~#
host:~# ip rule ls
0:      from all lookup local
32765:  from all fwmark        1 lookup inet
32766:  from all lookup main
32767:  from all lookup default
host:~# ip route show
172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.90.5
172.17.0.0/16 via 172.16.254.254 dev eth0
default via 172.16.1.1 dev eth0
host:~# ip route show table inet
172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.90.5
default via 172.16.254.254 dev eth0
host:~#
host:~# cat /proc/version
Linux version 2.4.20 (root@host) (gcc version 2.95.4 20011002 (Debian prerelease)) #7 SMP Sat Dec 7 19:59:45 CET 2002
host:~# iptables -v
iptables v1.2.7a: no command specified
Try `iptables -h' or 'iptables --help' for more information.
host:~# iptables --version
iptables v1.2.7a
host:~#

[DUMP OFF]

I am running iptables v.1.2.7a compiled against the running kernel.
A "iptables -t mangle -L -v" shows that the rule applies.
No patch'o'matic is used.

I have no idea what I have done wrong and  the  workaround  (by  using
"1") isn't really a good idea because is need plenty ( > 10) of fwmark
targets.

If this is a beginner's problem please say something like
# man iptables

Thanks a lot

Richard

-- 
Richard Mueller     mailto:mueller@teamix.net  Fon: +49 9171 896287
Teamix GmbH         http://www.teamix.de       Fax: +49 9171 896286

Re: Strange netfilter/iproute behav.

[Roberto Nibali]

Hello,

> Some strange things are happening, when I try to use routing decisions
> based on fwmark.

Ok.

> host:~# ip rule add fwmark 19 lookup inet
> host:~# iptables -t mangle -F
> host:~# iptables -t mangle -A OUTPUT -j MARK --set-mark 19

[vs.]

> host:~# ip rule add fwmark 1 lookup inet
> host:~# iptables -t mangle -A OUTPUT -j MARK --set-mark 1

A lot of people fall into this trap.

> I have no idea what I have done wrong and  the  workaround  (by  using
> "1") isn't really a good idea because is need plenty ( > 10) of fwmark
> targets.

:) The problem is that the fwmark from iproute2 takes its argument as a hex 
value. So when you write the following line:

ip rule add fwmark 19 lookup inet

You actually have 0x19 which is 25. So you need to to set the following 
according iptables mangle rule with MARK=19:

iptables -t mangle -A OUTPUT -j MARK --set-mark $((0x${MARK}))

> If this is a beginner's problem please say something like
> # man iptables

It's probably a beginner's problem but there is not really a man page for this, 
so I say RTSL :)

Cheers and HTH,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc