CONNMARK save-mark and restore-mark not working ?

All of lore.kernel.org
 help / color / mirror / Atom feed

* CONNMARK save-mark and restore-mark not working ?
@ 2005-02-18  8:40 Ian! D. Allen
  2005-02-18 10:56 ` Omar Garcia
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Ian! D. Allen @ 2005-02-18  8:40 UTC (permalink / raw)
  To: netfilter

I think this pair (marking connections with "9"):

    iptables -t mangle -A OUTPUT -j MARK --set-mark 9
    iptables -t mangle -A OUTPUT -j CONNMARK --set-mark 9

should be equivalent to this pair:

    iptables -t mangle -A OUTPUT -j MARK --set-mark 9
    iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

The first pair works - I get mark=9 entries in /proc/net/ip_conntrack .
The second pair does not - I get no marks at all in ip_conntrack.

I think this pair should set packet marks from the ip_conntrack marks:

    iptables -t mangle -A OUTPUT -j CONNMARK --set-mark 9
    iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

It does not - the packets aren't marked:

Chain OUTPUT (policy ACCEPT 2989 packets, 395K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1695  178K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK set 0x9 
 1695  178K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x9 LOG flags 1 level 7 prefix `IDAMARK ' 
 1695  178K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x0

What am I missing?

Linux elm 2.6.10-1mdk #2 Sat Jan 29 13:10:11 EST
2005 i686 AMD Athlon(tm) XP 3200+ unknown GNU/Linux

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       EMail: idallen@idallen.ca   WWW: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: CONNMARK save-mark and restore-mark not working ?
  2005-02-18  8:40 CONNMARK save-mark and restore-mark not working ? Ian! D. Allen
@ 2005-02-18 10:56 ` Omar Garcia
  2005-02-18 21:37   ` Ian! D. Allen
  2005-02-18 11:05 ` Vinod Chandran
  2005-02-20 22:35 ` Ian! D. Allen
  2 siblings, 1 reply; 6+ messages in thread
From: Omar Garcia @ 2005-02-18 10:56 UTC (permalink / raw)
  To: netfilter

And this?

    iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
    iptables -t mangle -A OUTPUT -m connmark ! --mark 0 -j ACCEPT
    iptables -t mangle -A OUTPUT -j MARK --set-mark 9
    iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

----- Original Message ----- 
From: "Ian! D. Allen" <idallen@idallen.ca>
To: <netfilter@lists.netfilter.org>
Sent: Friday, February 18, 2005 9:40 AM
Subject: CONNMARK save-mark and restore-mark not working ?


> I think this pair (marking connections with "9"):
>
>     iptables -t mangle -A OUTPUT -j MARK --set-mark 9
>     iptables -t mangle -A OUTPUT -j CONNMARK --set-mark 9
>
> should be equivalent to this pair:
>
>     iptables -t mangle -A OUTPUT -j MARK --set-mark 9
>     iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
>
> The first pair works - I get mark=9 entries in /proc/net/ip_conntrack .
> The second pair does not - I get no marks at all in ip_conntrack.
>
> I think this pair should set packet marks from the ip_conntrack marks:
>
>     iptables -t mangle -A OUTPUT -j CONNMARK --set-mark 9
>     iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
>
> It does not - the packets aren't marked:
>
> Chain OUTPUT (policy ACCEPT 2989 packets, 395K bytes)
>  pkts bytes target     prot opt in     out     source
destination
>  1695  178K CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           CONNMARK set 0x9
>  1695  178K CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           CONNMARK restore
>     0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x9 LOG flags 1 level 7 prefix `IDAMARK '
>  1695  178K            all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x0
>
> What am I missing?
>
> Linux elm 2.6.10-1mdk #2 Sat Jan 29 13:10:11 EST
> 2005 i686 AMD Athlon(tm) XP 3200+ unknown GNU/Linux
>
> -- 
> -IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
>        EMail: idallen@idallen.ca   WWW: http://www.idallen.com/
>        College professor (Linux) via: http://teaching.idallen.com/
>        Support free and open public digital rights:  http://eff.org/
>
>




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: CONNMARK save-mark and restore-mark not working ?
  2005-02-18 10:56 ` Omar Garcia
@ 2005-02-18 21:37   ` Ian! D. Allen
  0 siblings, 0 replies; 6+ messages in thread
From: Ian! D. Allen @ 2005-02-18 21:37 UTC (permalink / raw)
  To: Omar Garcia; +Cc: netfilter

On Fri, Feb 18, 2005 at 11:56:29AM +0100, Omar Garcia wrote:
> And this?
>     iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
>     iptables -t mangle -A OUTPUT -m connmark ! --mark 0 -j ACCEPT
>     iptables -t mangle -A OUTPUT -j MARK --set-mark 9
>     iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

That doesn't work because, as I posted, neither --save-mark nor
--restore-mark appear to work.

The --save-mark does not set and save the mark value in any line in
/proc/net/ip_conntrack.

The --restore-mark does not take the mark value from a line in
ip_conntrack and restore it into any packet.

See my original posting for examples of this.  I think my kernel must be
broken, unless I'm misunderstanding how these things are supposed to work.

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       EMail: idallen@idallen.ca   WWW: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: CONNMARK save-mark and restore-mark not working ?
  2005-02-18  8:40 CONNMARK save-mark and restore-mark not working ? Ian! D. Allen
  2005-02-18 10:56 ` Omar Garcia
@ 2005-02-18 11:05 ` Vinod Chandran
  2005-02-18 21:32   ` Ian! D. Allen
  2005-02-20 22:35 ` Ian! D. Allen
  2 siblings, 1 reply; 6+ messages in thread
From: Vinod Chandran @ 2005-02-18 11:05 UTC (permalink / raw)
  To: netfilter

Hi Ian,


>I think this pair (marking connections with "9"):
>
>    iptables -t mangle -A OUTPUT -j MARK --set-mark 9
>    iptables -t mangle -A OUTPUT -j CONNMARK --set-mark 9
>  
>
 >>>>> Here the mark value of the packet as well as the mark value of 
the connection tracking entry are set to 9.

>should be equivalent to this pair:
>
>    iptables -t mangle -A OUTPUT -j MARK --set-mark 9
>    iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
>  
>
 >>>> Here the mark value of the packet is set to 9, which will be saved 
to be used as conntrack mark for all the packets coming after this. But 
this has to be >>>> restored
 >>>>Try this combination
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -j MARK --set-mark 9
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

>>>>>Aint sure, hope it works!!!




Regards,
Vinod C


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: CONNMARK save-mark and restore-mark not working ?
  2005-02-18 11:05 ` Vinod Chandran
@ 2005-02-18 21:32   ` Ian! D. Allen
  0 siblings, 0 replies; 6+ messages in thread
From: Ian! D. Allen @ 2005-02-18 21:32 UTC (permalink / raw)
  To: Vinod Chandran; +Cc: netfilter

Vinod Chandran wrote:
> >   iptables -t mangle -A OUTPUT -j MARK --set-mark 9
> >   iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> Here the mark value of the packet is set to 9, which will be saved 
> to be used as conntrack mark for all the packets coming after this.

It isn't being saved.  The --save-mark does nothing.  It changes
nothing in any of my ip_conntrack lines:

   # grep 'mark=9' /proc/net/ip_conntrack
   #

That sounds broken, right?

Linux elm 2.6.10-1mdk #2 Sat Jan 29 13:10:11 EST
2005 i686 AMD Athlon(tm) XP 3200+ unknown GNU/Linux

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       EMail: idallen@idallen.ca   WWW: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: CONNMARK save-mark and restore-mark not working ?
  2005-02-18  8:40 CONNMARK save-mark and restore-mark not working ? Ian! D. Allen
  2005-02-18 10:56 ` Omar Garcia
  2005-02-18 11:05 ` Vinod Chandran
@ 2005-02-20 22:35 ` Ian! D. Allen
  2 siblings, 0 replies; 6+ messages in thread
From: Ian! D. Allen @ 2005-02-20 22:35 UTC (permalink / raw)
  To: netfilter

Ian! D. Allen wrote:
>     iptables -t mangle -A OUTPUT -j MARK --set-mark 9
>     iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
> I get no marks at all in ip_conntrack.

Kernel bug.  Neither --save-mark nor --restore-mark work in my Mandrake
kernel.  My bug report is here:

    http://qa.mandrakesoft.com/show_bug.cgi?id=13845

The work-around is in the bug report.

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       EMail: idallen@idallen.ca   WWW: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2005-02-20 22:35 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-18  8:40 CONNMARK save-mark and restore-mark not working ? Ian! D. Allen
2005-02-18 10:56 ` Omar Garcia
2005-02-18 21:37   ` Ian! D. Allen
2005-02-18 11:05 ` Vinod Chandran
2005-02-18 21:32   ` Ian! D. Allen
2005-02-20 22:35 ` Ian! D. Allen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.