Re: [LARTC] iptables CLASSIFY and MARK not working?

From: Andreas Unterkircher <unki@netshadow.at>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] iptables CLASSIFY and MARK not working?
Date: Fri, 19 May 2006 17:31:43 +0000	[thread overview]
Message-ID: <446E00FF.1010305@netshadow.at> (raw)
In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255388@xavier.staff.greatlakes.net>

Have you checked that the ip_conntrack module is loaded or compiled into 
the kernel?
If not the mark is lost...

Cheers,
Andreas

Eliot, Wireless and Server Administrator, Great Lakes Internet schrieb:
> I have to match my packets based on MAC address, which I cannot do in
> the POSTROUTING chain, so I do it in PREROUTING using MARK. Then, I
> match on the MARK in the POSTROUTING chain to do a CLASSIFY. But this
> does not seem to work:
>
> wireless-r1 bwlimit # iptables -L -v -n -t mangle
> Chain PREROUTING (policy ACCEPT 3353K packets, 941M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 12527   11M CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           CONNMARK restore
>  3227  130K MARK       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MAC 00:05:9E:81:3D:07 MARK set 0x30
>  3231  132K CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK match 0x30 CONNMARK save
>     0     0 MARK       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MAC 00:05:9E:81:3D:07 multiport ports
> 53,4569,5060,10000:20000 MARK set 0x2f
>     0     0 MARK       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MAC 00:05:9E:81:3D:07 multiport ports 22,23,53 MARK
> set 0x2f
>     3   180 MARK       icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           MAC 00:05:9E:81:3D:07 MARK set 0x2f
>  3222  129K MARK       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp flags:0x18/0x10 MAC 00:05:9E:81:3D:07 MARK set
> 0x2f
>     0     0 MARK       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f
>     0     0 MARK       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp spt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f
> 10272   10M CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK match 0x2f CONNMARK save
>     0     0 MARK       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MAC 00:05:9E:81:3D:07 ipp2p v0.8.0 --ipp2p MARK set
> 0x31
>     0     0 CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK match 0x31 CONNMARK save
>
> Chain INPUT (policy ACCEPT 1177K packets, 165M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain FORWARD (policy ACCEPT 1157K packets, 703M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 535K packets, 95M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 1613K packets, 790M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  3225  129K CLASSIFY   all  --  *      br1     0.0.0.0/0
> 0.0.0.0/0           MARK match 0x2f CLASSIFY set 47:1
>     2   506 CLASSIFY   all  --  *      br1     0.0.0.0/0
> 0.0.0.0/0           MARK match 0x30 CLASSIFY set 48:1
>     0     0 CLASSIFY   all  --  *      br1     0.0.0.0/0
> 0.0.0.0/0           MARK match 0x31 CLASSIFY set 49:1
>  6352 9321K CLASSIFY   all  --  *      wivl4   0.0.0.0/0
> 0.0.0.0/0           MARK match 0x2f CLASSIFY set 47:1
>     4  1932 CLASSIFY   all  --  *      wivl4   0.0.0.0/0
> 0.0.0.0/0           MARK match 0x30 CLASSIFY set 48:1
>     0     0 CLASSIFY   all  --  *      wivl4   0.0.0.0/0
> 0.0.0.0/0           MARK match 0x31 CLASSIFY set 49:1
>
> wireless-r1 bwlimit # tc -s qdisc show dev wivl4
> qdisc prio 5: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
>  Sent 11887911 bytes 8179 pkt (dropped 878, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc htb 26: parent 5:1 r2q 10 default 1 direct_packets_stat 0
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc htb 27: parent 5:2 r2q 10 default 1 direct_packets_stat 0
>  Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc htb 28: parent 5:3 r2q 10 default 1 direct_packets_stat 0
>  Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc htb 47: parent 26:1 r2q 10 default 1 direct_packets_stat 0
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc htb 48: parent 27:1 r2q 10 default 1 direct_packets_stat 0
>  Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc htb 49: parent 28:1 r2q 10 default 1 direct_packets_stat 0
>  Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>
> wireless-r1 bwlimit # tc -s class show dev wivl4
> class prio 5:1 parent 5: leaf 26:
>
> class prio 5:2 parent 5: leaf 27:
>
> class prio 5:3 parent 5: leaf 28:
>
> class htb 26:1 root leaf 47: prio 0 rate 30000Kbit ceil 30000Kbit burst
> 16593b cburst 16593b
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>  lended: 0 borrowed: 0 giants: 0
>  tokens: 4532 ctokens: 4532
>
> class htb 27:1 root leaf 48: prio 0 rate 60000Kbit ceil 60000Kbit burst
> 31590b cburst 31590b
>  Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 624bit 1pps backlog 0b 0p requeues 0
>  lended: 790 borrowed: 0 giants: 0
>  tokens: 4306 ctokens: 4306
>
> class htb 28:1 root leaf 49: prio 0 rate 10000Kbit ceil 10000Kbit burst
> 6598b cburst 6598b
>  Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>  lended: 11178 borrowed: 0 giants: 0
>  tokens: 5368 ctokens: 5368
>
> class htb 47:1 root prio 1 rate 80000bit ceil 128000bit burst 125Kb
> cburst 8000b
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>  lended: 0 borrowed: 0 giants: 0
>  tokens: 13107200 ctokens: 512000
>
> class htb 48:1 root prio 2 rate 2048Kbit ceil 3072Kbit burst 3000Kb
> cburst 192000b
>  Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 624bit 1pps backlog 0b 0p requeues 0
>  lended: 790 borrowed: 0 giants: 0
>  tokens: 12287744 ctokens: 511831
>
> class htb 49:1 root prio 3 rate 960000bit ceil 960000bit burst 960000b
> cburst 60000b
>  Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>  lended: 11178 borrowed: 0 giants: 0
>  tokens: 8191591 ctokens: 511591
>
>
> In the iptables rules, you'll see that the bulk of the traffic I'm
> sending through is getting marked with 0x2f (47 decimal). In the
> POSTROUTING chain, it is being classified as 47:1. In fact, nothing at
> all is getting classified as 49:1. But, in the TC class and qdisc
> displays, everything is coming up under the 49:1 instead of the 47:1.
> What happened? Either I have some weird typo I'm not seeing, or this is
> just not working the way I'm expecting it to. Anyone have any thoughts
> on this?
>
> Thanks.
>  
> Eliot Gable
> Certified Wireless Network Administrator (CWNA)
> Certified Wireless Security Professional (CWSP)
> Cisco Certified Network Associate (CCNA)
> CompTIA Security+ Certified
> CompTIA Network+ Certified
> Network and Systems Administrator
> Great Lakes Internet, Inc.
> 112 North Howard
> Croswell, MI 48422
> (810) 679-3395
> (877) 558-8324
>  
> Now offering Broadband Wireless Internet access in Croswell, Lexington,
> Brown City, Yale, and Sandusky. Call for details.
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>   

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc