From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Unterkircher Date: Fri, 19 May 2006 17:31:43 +0000 Subject: Re: [LARTC] iptables CLASSIFY and MARK not working? Message-Id: <446E00FF.1010305@netshadow.at> List-Id: References: <0633E0EDB4F25F43A2D7179CA11FAFAB255388@xavier.staff.greatlakes.net> In-Reply-To: <0633E0EDB4F25F43A2D7179CA11FAFAB255388@xavier.staff.greatlakes.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Have you checked that the ip_conntrack module is loaded or compiled into the kernel? If not the mark is lost... Cheers, Andreas Eliot, Wireless and Server Administrator, Great Lakes Internet schrieb: > I have to match my packets based on MAC address, which I cannot do in > the POSTROUTING chain, so I do it in PREROUTING using MARK. Then, I > match on the MARK in the POSTROUTING chain to do a CLASSIFY. But this > does not seem to work: > > wireless-r1 bwlimit # iptables -L -v -n -t mangle > Chain PREROUTING (policy ACCEPT 3353K packets, 941M bytes) > pkts bytes target prot opt in out source > destination > 12527 11M CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK restore > 3227 130K MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 MARK set 0x30 > 3231 132K CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x30 CONNMARK save > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 multiport ports > 53,4569,5060,10000:20000 MARK set 0x2f > 0 0 MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 multiport ports 22,23,53 MARK > set 0x2f > 3 180 MARK icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 MARK set 0x2f > 3222 129K MARK tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp flags:0x18/0x10 MAC 00:05:9E:81:3D:07 MARK set > 0x2f > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f > 0 0 MARK udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f > 10272 10M CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2f CONNMARK save > 0 0 MARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MAC 00:05:9E:81:3D:07 ipp2p v0.8.0 --ipp2p MARK set > 0x31 > 0 0 CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x31 CONNMARK save > > Chain INPUT (policy ACCEPT 1177K packets, 165M bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 1157K packets, 703M bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 535K packets, 95M bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 1613K packets, 790M bytes) > pkts bytes target prot opt in out source > destination > 3225 129K CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2f CLASSIFY set 47:1 > 2 506 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x30 CLASSIFY set 48:1 > 0 0 CLASSIFY all -- * br1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x31 CLASSIFY set 49:1 > 6352 9321K CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2f CLASSIFY set 47:1 > 4 1932 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x30 CLASSIFY set 48:1 > 0 0 CLASSIFY all -- * wivl4 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x31 CLASSIFY set 49:1 > > wireless-r1 bwlimit # tc -s qdisc show dev wivl4 > qdisc prio 5: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > Sent 11887911 bytes 8179 pkt (dropped 878, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 26: parent 5:1 r2q 10 default 1 direct_packets_stat 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 27: parent 5:2 r2q 10 default 1 direct_packets_stat 0 > Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 28: parent 5:3 r2q 10 default 1 direct_packets_stat 0 > Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 47: parent 26:1 r2q 10 default 1 direct_packets_stat 0 > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 48: parent 27:1 r2q 10 default 1 direct_packets_stat 0 > Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > qdisc htb 49: parent 28:1 r2q 10 default 1 direct_packets_stat 0 > Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > wireless-r1 bwlimit # tc -s class show dev wivl4 > class prio 5:1 parent 5: leaf 26: > > class prio 5:2 parent 5: leaf 27: > > class prio 5:3 parent 5: leaf 28: > > class htb 26:1 root leaf 47: prio 0 rate 30000Kbit ceil 30000Kbit burst > 16593b cburst 16593b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 4532 ctokens: 4532 > > class htb 27:1 root leaf 48: prio 0 rate 60000Kbit ceil 60000Kbit burst > 31590b cburst 31590b > Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0) > rate 624bit 1pps backlog 0b 0p requeues 0 > lended: 790 borrowed: 0 giants: 0 > tokens: 4306 ctokens: 4306 > > class htb 28:1 root leaf 49: prio 0 rate 10000Kbit ceil 10000Kbit burst > 6598b cburst 6598b > Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 11178 borrowed: 0 giants: 0 > tokens: 5368 ctokens: 5368 > > class htb 47:1 root prio 1 rate 80000bit ceil 128000bit burst 125Kb > cburst 8000b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 0 borrowed: 0 giants: 0 > tokens: 13107200 ctokens: 512000 > > class htb 48:1 root prio 2 rate 2048Kbit ceil 3072Kbit burst 3000Kb > cburst 192000b > Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0) > rate 624bit 1pps backlog 0b 0p requeues 0 > lended: 790 borrowed: 0 giants: 0 > tokens: 12287744 ctokens: 511831 > > class htb 49:1 root prio 3 rate 960000bit ceil 960000bit burst 960000b > cburst 60000b > Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > lended: 11178 borrowed: 0 giants: 0 > tokens: 8191591 ctokens: 511591 > > > In the iptables rules, you'll see that the bulk of the traffic I'm > sending through is getting marked with 0x2f (47 decimal). In the > POSTROUTING chain, it is being classified as 47:1. In fact, nothing at > all is getting classified as 49:1. But, in the TC class and qdisc > displays, everything is coming up under the 49:1 instead of the 47:1. > What happened? Either I have some weird typo I'm not seeing, or this is > just not working the way I'm expecting it to. Anyone have any thoughts > on this? > > Thanks. > > Eliot Gable > Certified Wireless Network Administrator (CWNA) > Certified Wireless Security Professional (CWSP) > Cisco Certified Network Associate (CCNA) > CompTIA Security+ Certified > CompTIA Network+ Certified > Network and Systems Administrator > Great Lakes Internet, Inc. > 112 North Howard > Croswell, MI 48422 > (810) 679-3395 > (877) 558-8324 > > Now offering Broadband Wireless Internet access in Croswell, Lexington, > Brown City, Yale, and Sandusky. Call for details. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc