Marks set in PREROUTING got lost

Marks set in PREROUTING got lost

[Clemens]

[-- Attachment #1: Type: text/plain, Size: 366 bytes --]

Hi everyone,

after experimenting with setting marks (--set-mark) in the
PREROUTING chain in the mangle table, I found out, that those marks
were not accessible/matchable in PREROUTING nat table. I was able to
see the marks in chain FORWARD mangle table though :-(

Is this behavior supposed to be like that?

Thank you for your help!

Greets, Clemens


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 250 bytes --]

Re: Marks set in PREROUTING got lost

[Jan Engelhardt]

>Hi everyone,
>
>after experimenting with setting marks (--set-mark) in the

What marks, per-packet marks or per-connection marks?

>PREROUTING chain in the mangle table, I found out, that those marks
>were not accessible/matchable in PREROUTING nat table. I was able to
>see the marks in chain FORWARD mangle table though :-(
>
>Is this behavior supposed to be like that?
>
>Thank you for your help!
>
>Greets, Clemens
>
>

Jan Engelhardt
-- 

Re: Marks set in PREROUTING got lost

[Clemens]

[-- Attachment #1: Type: text/plain, Size: 1333 bytes --]


> 
> What marks, per-packet marks or per-connection marks?
> 
I am not sure, how to distinguish, I just mark all pakets that pass
through a certain user defined chain. I guess this is a mark per packet.
The particular chain lookes like this:


Chain FWD_WWW-101 (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
100000000 bytes
MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
set 0x65
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
1000000 bytes
MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
set 0x1


The goal is to provide full network speed for all NATed computers
for a certain amount of bytes (first quota match), then mark their
packets individually (each computer has its own mangle chain
(FWD_WWW-$computernumber)) with its computernumber in hex, so tc can
slow down their connection to 56k and after the "slow quota" is used
up, the users packets get a different mark  (mark 1) and get a DNAT
to an Over Quota webpage, when the user tries to access an outside
webpage, other connectionattempts get droped.


The problem is now, that pakets get marked with the mark 0x1, but in
PREROUTING nat table, this mark never appears.

Thanks, Clemens


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 250 bytes --]

Re: Marks set in PREROUTING got lost

[Jan Engelhardt]

>> What marks, per-packet marks or per-connection marks?
>> 
>I am not sure, how to distinguish, I just mark all pakets that pass

-j MARK => per-packet
-j CONNMARK => per-connection

>through a certain user defined chain. I guess this is a mark per packet.
>The particular chain lookes like this:
>
>
>Chain FWD_WWW-101 (2 references)
>target     prot opt source               destination
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>100000000 bytes
>MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>set 0x65
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>1000000 bytes
>MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>set 0x1

MARK is only allowed in the mangle table.

>
>
>The goal is to provide full network speed for all NATed computers
>for a certain amount of bytes (first quota match), then mark their
>packets individually (each computer has its own mangle chain
>(FWD_WWW-$computernumber)) with its computernumber in hex, so tc can
>slow down their connection to 56k and after the "slow quota" is used
>up, the users packets get a different mark  (mark 1) and get a DNAT
>to an Over Quota webpage, when the user tries to access an outside
>webpage, other connectionattempts get droped.
>
>
>The problem is now, that pakets get marked with the mark 0x1, but in
>PREROUTING nat table, this mark never appears.

http://www.imagestream.com/~josh/PacketFlow.png

PREROUTING comes before FORWARD.

>
>Thanks, Clemens
>
>

Jan Engelhardt
-- 

Re: Marks set in PREROUTING got lost

[Lucas Diaz]

So, something marked with -j MARK can't be matched on nat table, right?
What if after you mark the packet with -j MARK, you do "-m mark --mark X 
-j CONNMARK --save-mark"; it should be visible from nat table or must be 
marked with -j CONNMARK --set-mark?


>> What marks, per-packet marks or per-connection marks?
>> 
>I am not sure, how to distinguish, I just mark all pakets that pass

-j MARK => per-packet
-j CONNMARK => per-connection

>through a certain user defined chain. I guess this is a mark per packet.
>The particular chain lookes like this:
>
>
>Chain FWD_WWW-101 (2 references)
>target     prot opt source               destination
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>100000000 bytes
>MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>set 0x65
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>1000000 bytes
>MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>set 0x1

MARK is only allowed in the mangle table.

>
>
>The goal is to provide full network speed for all NATed computers
>for a certain amount of bytes (first quota match), then mark their
>packets individually (each computer has its own mangle chain
>(FWD_WWW-$computernumber)) with its computernumber in hex, so tc can
>slow down their connection to 56k and after the "slow quota" is used
>up, the users packets get a different mark  (mark 1) and get a DNAT
>to an Over Quota webpage, when the user tries to access an outside
>webpage, other connectionattempts get droped.
>
>
>The problem is now, that pakets get marked with the mark 0x1, but in
>PREROUTING nat table, this mark never appears.

http://www.imagestream.com/~josh/PacketFlow.png

PREROUTING comes before FORWARD.

>
>Thanks, Clemens
>
>

Jan Engelhardt
-- 

Re: Marks set in PREROUTING got lost

[Jan Engelhardt]

>
> So, something marked with -j MARK can't be matched on nat table, right?

You have to mark it in the PREROUTING chain of the mangle table, to be 
able to match on it within the PREROUTING chain of the nat table.

--- Orig msg ---
> What if after you mark the packet with -j MARK, you do "-m mark --mark X -j
> CONNMARK --save-mark"; it should be visible from nat table or must be marked
> with -j CONNMARK --set-mark?
>
>
>> > What marks, per-packet marks or per-connection marks?
>> > 
>> I am not sure, how to distinguish, I just mark all pakets that pass
>
> -j MARK => per-packet
> -j CONNMARK => per-connection
>
>> through a certain user defined chain. I guess this is a mark per packet.
>> The particular chain lookes like this:
>> 
>> 
>> Chain FWD_WWW-101 (2 references)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>> 100000000 bytes
>> MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>> set 0x65
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>> 1000000 bytes
>> MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>> set 0x1
>
> MARK is only allowed in the mangle table.
>
>> 
>> 
>> The goal is to provide full network speed for all NATed computers
>> for a certain amount of bytes (first quota match), then mark their
>> packets individually (each computer has its own mangle chain
>> (FWD_WWW-$computernumber)) with its computernumber in hex, so tc can
>> slow down their connection to 56k and after the "slow quota" is used
>> up, the users packets get a different mark  (mark 1) and get a DNAT
>> to an Over Quota webpage, when the user tries to access an outside
>> webpage, other connectionattempts get droped.
>> 
>> 
>> The problem is now, that pakets get marked with the mark 0x1, but in
>> PREROUTING nat table, this mark never appears.
>
> http://www.imagestream.com/~josh/PacketFlow.png
>
> PREROUTING comes before FORWARD.
>
>> 
>> Thanks, Clemens
>> 
>> 
>
> Jan Engelhardt
> -- 
>
>
>
>

Jan Engelhardt
-- 

Re: Marks set in PREROUTING got lost

[Clemens]

[-- Attachment #1: Type: text/plain, Size: 272 bytes --]


> You have to mark it in the PREROUTING chain of the mangle table, to be 
> able to match on it within the PREROUTING chain of the nat table.
> 
Is this also true, if I jump from PREROUTING mangle in a user
defined chain and mark my packets there?

--
Clemens


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 250 bytes --]

Re: Marks set in PREROUTING got lost

[Clemens]

[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]

> -j MARK => per-packet
> -j CONNMARK => per-connection

thank you

> 
>> through a certain user defined chain. I guess this is a mark per packet.
>> The particular chain lookes like this:
>>
>>
>> Chain FWD_WWW-101 (2 references)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>> 100000000 bytes
>> MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>> set 0x65
>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           quota:
>> 1000000 bytes
>> MARK       all  --  0.0.0.0/0            0.0.0.0/0           MARK
>> set 0x1
> 
> MARK is only allowed in the mangle table.
> 
Yes I know that. The abstract above comes from the mangle table, the
name of the userdefined chain (which I jump into from PREROUTING
mangle) might be a bit irritating, I admit, but it has nothing to do
with FORWARD.

> http://www.imagestream.com/~josh/PacketFlow.png
> 
> PREROUTING comes before FORWARD.

Yes I also know that. The Packets get marked correctly, I checked
that in FORWARD filter, but in PREROUTING nat they are not, even
though they should have been, hence I cannot dnat

--
Clemens


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 250 bytes --]

Re: Marks set in PREROUTING got lost

[Bo Yang]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Clemens :
> Hi everyone,
>
> after experimenting with setting marks (--set-mark) in the
> PREROUTING chain in the mangle table, I found out, that those marks
>  were not accessible/matchable in PREROUTING nat table. I was able
> to see the marks in chain FORWARD mangle table though :-(
I think this has something to do with the kernel netfilter framework
internal .
In the netfilter , there are five points in which user defined
funtions to be
called by the kernel , they are PREROUTING , FORWORD , POSTROUTING ,
INPUT , OUTPUT . So , you mark a package in the prerouting point , and
then
you must can see it in the forword point , because the package go from
the prerouting
to the forward . But if you mark a package in the prerouting point but
also want to
see it in the same point , there is must some trick here .
If the mangle table's  funtion called before the nat table , I think
you can see the mark ,
if it isn't , you can't .

But you can just complete your task without go into the troubles here .
If you want to distinguish packages , you can just do that in the nat
prerouting chain ,
why do you mark it in the mangle table and find it in the nat table ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFHKSn7tZp58UCwyMRAqXOAJ9j8HjpvPYFKsODrT8PDkyWzm/jUACeLYBX
/rcGTiWbFi3gekD/EsL3Er4=
=ZIlb
-----END PGP SIGNATURE-----

Re: Marks set in PREROUTING got lost

[Jan Engelhardt]

>> You have to mark it in the PREROUTING chain of the mangle table, to be 
>> able to match on it within the PREROUTING chain of the nat table.
>
>Is this also true, if I jump from PREROUTING mangle in a user
>defined chain and mark my packets there?

Just make sure it gets marked in a table/chain (or subchain thereof) 
before the nat-PREROUTING chain is hit, according to 
http://www.imagestream.com/~josh/PacketFlow-new.png


Jan Engelhardt
-- 

Re: Marks set in PREROUTING got lost

[Bo Yang]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Jan Engelhardt:
>>> You have to mark it in the PREROUTING chain of the mangle
>>> table, to be able to match on it within the PREROUTING chain of
>>> the nat table.
>> Is this also true, if I jump from PREROUTING mangle in a user
>> defined chain and mark my packets there?
>
> Just make sure it gets marked in a table/chain (or subchain
> thereof) before the nat-PREROUTING chain is hit, according to
> http://www.imagestream.com/~josh/PacketFlow-new.png
>
Good stuff , very clear flow !
Thank you !

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFHg7e7tZp58UCwyMRAqgDAJ9mVf92fMHZUL5PHhL0UtNBJn9nnACfS4rx
UG7NZsE/bgQMsbQTYnzCMdo=
=5FpZ
-----END PGP SIGNATURE-----