[LARTC] CONNMARK problem

[LARTC] CONNMARK problem

[cvok]

Hello everybody.

i have the folowing problem:

i have this in the top of PREROUTING chain in mangle table

iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 0        # rule 1
iptables -t mangle -A PREROUTING -m connmark --mark 5            # rule 2
iptables -t mangle -A PREROUTING -m connmark --mark 6            # rule 3

i think when packet is passing trough my POSTROUTING in mangle table
it can't match rule 2 or 3, but in the real life it is a little bit different

iptables -t mangle -L PREROUTING -v
shows following:
Chain PREROUTING (policy ACCEPT 16M packets, 4534M bytes)
 pkts bytes target     prot opt in     out     source               destination
 159K   53M CONNMARK   all  --  any    any     anywhere             anywhere    
       CONNMARK set 0x0
 1090  112K            all  --  any    any     anywhere             anywhere    
       CONNMARK match 0x5
   22  1843            all  --  any    any     anywhere             anywhere    
       CONNMARK match 0x6

i don't know if it is correct, so please tell me if it is normal.

thanks a lot

Matis
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] CONNMARK problem

[Tomasz Chilinski]

On Fri, 24 Sep 2004 20:21:22 +0200, cvok wrote
> Hello everybody.

Hello.

> i think when packet is passing trough my POSTROUTING in mangle table
> it can't match rule 2 or 3, but in the real life it is a little bit different
> 
> iptables -t mangle -L PREROUTING -v
> shows following:
> Chain PREROUTING (policy ACCEPT 16M packets, 4534M bytes)
>  pkts bytes target     prot opt in     out     source       destination
>  159K   53M CONNMARK   all  --  any    any     anywhere            
>  anywhere           CONNMARK set 0x0
> 1090  112K            all  -- 
>  any    any     anywhere             anywhere           CONNMARK 
> match 0x5
>   22  1843            all  --  any    any     anywhere     
>         anywhere           CONNMARK match 0x6
> 
> i don't know if it is correct, so please tell me if it is normal.

It's normal. CONNMARK target doesn't mean stopping traversing the chain.

> Matis

Bests,
Tomasz Chilinski

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] CONNMARK problem

[zytek]

Dnia pi±tek 24 wrzesieñ 2004 19:28, Tomasz Chilinski napisa³:
> On Fri, 24 Sep 2004 20:21:22 +0200, cvok wrote
>
> > Hello everybody.
>
> Hello.
>
> > i think when packet is passing trough my POSTROUTING in mangle table
> > it can't match rule 2 or 3, but in the real life it is a little bit
> > different
> >
> > iptables -t mangle -L PREROUTING -v
> > shows following:
> > Chain PREROUTING (policy ACCEPT 16M packets, 4534M bytes)
> >  pkts bytes target     prot opt in     out     source       destination
> >  159K   53M CONNMARK   all  --  any    any     anywhere
> >  anywhere           CONNMARK set 0x0
> > 1090  112K            all  --
> >  any    any     anywhere             anywhere           CONNMARK
> > match 0x5
> >   22  1843            all  --  any    any     anywhere
> >         anywhere           CONNMARK match 0x6
> >
> > i don't know if it is correct, so please tell me if it is normal.
>
> It's normal. CONNMARK target doesn't mean stopping traversing the chain.

You can match packet againt and use -j RETURN so it would "escape" from 
current chain.

(at least i think so ;> )

-- 
.: Jakub G³azik (zytek)
.: email: zytek@ostrow-wlkp.net
.: JID: zytek@azazel.ostrow-wlkp.net
.: http://www.misiaj.sie.pl [obsolete]
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] CONNMARK problem

[Leandro Travaglia]

Hi all,

I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK

When i run:
# iptables -v -t mangle -F
# iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
CONNMARK  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  CONNMARK restore
iptables: No chain/target/match by that name

Why is that happening??

The command:
# iptables -v -j CONNMARK -h
returns:
CONNMARK target v1.2.10 options:
  --set-mark value[/mask]       Set conntrack mark value
  --save-mark [--mask mask]     Save the packet nfmark in the connection
  --restore-mark [--mask mask]  Restore saved nfmark value

So everything seens fine to me........

Thanks...


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 6/1/2005

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] CONNMARK problem

[Leandro Travaglia]

I see... I'll do this.

But..... Is CONNMARK supported in newer versions of the Kernel? Wich one?

Regards,

                  LEANDRO TRAVAGLIA




Nguyen Dinh Nam wrote:

> it's because your kernel doesn't support CONNMARK, apply patch-o-matic 
> then recompile your kernel, then it'll work.
>
> Leandro Travaglia wrote:
>
>> Hi all,
>>
>> I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK
>>
>> When i run:
>> # iptables -v -t mangle -F
>> # iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
>> CONNMARK  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  CONNMARK 
>> restore
>> iptables: No chain/target/match by that name
>>
>> Why is that happening??
>>
>> The command:
>> # iptables -v -j CONNMARK -h
>> returns:
>> CONNMARK target v1.2.10 options:
>>  --set-mark value[/mask]       Set conntrack mark value
>>  --save-mark [--mask mask]     Save the packet nfmark in the connection
>>  --restore-mark [--mask mask]  Restore saved nfmark value
>>
>> So everything seens fine to me........
>>
>> Thanks...
>>
>>
>
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] CONNMARK problem

[Vincent]

> -----Original Message-----
> From: lartc-admin@mailman.ds9a.nl 
> [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Leandro Travaglia
> Sent: Saturday, January 08, 2005 9:03 PM
> To: LARTC
> Subject: [LARTC] CONNMARK problem
> 
> 
> Hi all,
> 
> I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK
> 
> When i run:
> # iptables -v -t mangle -F
> # iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK 
> --restore-mark CONNMARK  tcp opt -- in * out *  0.0.0.0/0  -> 
> 0.0.0.0/0  CONNMARK restore
> iptables: No chain/target/match by that name

Make sure that CONNMARK target is vaild in mangle table > PREROUTING
chain.
Or you can try to inspect the rule in another table/chain

Another possible is the target format. You can try to use a simple
target to verify if the target format is correct or not.

Vincent

> 
> Why is that happening??
> 
> The command:
> # iptables -v -j CONNMARK -h
> returns:
> CONNMARK target v1.2.10 options:
>   --set-mark value[/mask]       Set conntrack mark value
>   --save-mark [--mask mask]     Save the packet nfmark in the 
> connection
>   --restore-mark [--mask mask]  Restore saved nfmark value
> 
> So everything seens fine to me........
> 
> Thanks...
> 
> 
> -- 
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 6/1/2005
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl 
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/