Re: Iptables v1.4.4 + kernel 2.6.31 mangle marking changed?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ralph de Boom <lkml@deboom.biz>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter@vger.kernel.org
Subject: Re: Iptables v1.4.4 + kernel 2.6.31 mangle marking changed?
Date: Wed, 04 Nov 2009 14:15:03 +0100	[thread overview]
Message-ID: <4AF17E57.2060206@deboom.biz> (raw)
In-Reply-To: <4AF1628D.5080401@trash.net>

Patrick McHardy schreef:
> Ralph de Boom wrote:
>   
>> Hi there,
>>
>> Excuse me if this email might go wrong, it's my first message to a
>> mailing list.
>>
>> But here's my problem: (And I hope you guys could shed light for me...)
>>
>> I originally ran Debian Lenny on kernel 2.6.18.
>> Since today I reinstalled it to Ubuntu Server 9.10 with kernel  2.6.31.
>>
>> Now I used to do this in lenny:
>>
>> iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -d 81.4.97.0/24 -j
>> MARK --set-mark 0x1
>>
>> This would cause relevant packets to be marked 0x1, which in return I
>> had a 'ip rule':
>>
>> my rules look like this:
>>
>> ip rule show
>> 0:      from all lookup local
>> 32760:  from all fwmark 0x2 lookup upc
>> 32761:  from all fwmark 0x1 lookup xs4all
>> 32762:  from 192.168.1.XX lookup xs4all
>> 32763:  from 192.168.1.XX lookup upc
>> 32764:  from 24.132.104.XXX lookup upc
>> 32765:  from 192.168.2.XX lookup xs4all
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>>
>> And my 'xs4all' table looks like:
>>
>> ip route show table xs4all
>> 192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.XX
>> default via 192.168.2.X dev eth0
>>
>>
>> I know the rule matches packets i make:
>>
>> iptables -t mangle -v -L
>> Chain PREROUTING (policy ACCEPT 3111K packets, 1861M bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination
>>   16  1100 MARK       all  --  any    any     192.168.1.0/24      
>> ip-space.by.proserve.nl/24 MARK xset 0x1/0xffffffff
>>
>> But somehow the connection is never relayed over the xs4all table...
>>
>> The changes I've noticed compared to lenny:
>>
>> iptables now likes to mark my --set-mark 0x1 as a --set-xmark
>> 0x1/0xffffffff
>> whereas in lenny it would stay a --set-mark 0x1
>>
>> Would be very pleased if someone could help me in this matter.
>>     
>
> Please try adding a LOG rule directly after the marking rule and
> see what it prints out for the MARK= value.
>
>   
At first, thanks for helping me out!

Here's the info:

 iptables -t mangle -v -L
Chain PREROUTING (policy ACCEPT 42M packets, 25G bytes)
 pkts bytes target     prot opt in     out     source               
destination
  362 84150 MARK       all  --  any    any     192.168.1.0/24       
ip-space.by.proserve.nl/24 MARK xset 0x1/0xffffffff
  362 84150 LOG        all  --  any    any     192.168.1.0/24       
ip-space.by.proserve.nl/24 LOG level debug prefix `fwmark 0x1: '

kern.log:
Nov  4 14:12:58 sakura kernel: [52836.368503] fwmark 0x1: IN=eth1 OUT= 
MAC=00:1b:21:2d:a9:fa:00:1b:21:32:99:5f:08:00 SRC=192.168.1.30 
DST=81.4.97.200 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=9696 DF PROTO=TCP 
SPT=61860 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1
Nov  4 14:13:01 sakura kernel: [52839.368034] fwmark 0x1: IN=eth1 OUT= 
MAC=00:1b:21:2d:a9:fa:00:1b:21:32:99:5f:08:00 SRC=192.168.1.30 
DST=81.4.97.200 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=11490 DF PROTO=TCP 
SPT=61860 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1
Nov  4 14:13:07 sakura kernel: [52845.370049] fwmark 0x1: IN=eth1 OUT= 
MAC=00:1b:21:2d:a9:fa:00:1b:21:32:99:5f:08:00 SRC=192.168.1.30 
DST=81.4.97.200 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=15001 DF PROTO=TCP 
SPT=61860 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1

Thanks!

next prev parent reply	other threads:[~2009-11-04 13:15 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-04  0:49 Iptables v1.4.4 + kernel 2.6.31 mangle marking changed? Ralph de Boom
2009-11-04 11:16 ` Patrick McHardy
2009-11-04 13:15   ` Ralph de Boom [this message]
2009-11-04 14:10     ` Patrick McHardy
2009-11-04 15:53       ` Ralph de Boom
2009-11-05 11:52         ` Richard Horton
2009-11-05 17:53           ` Ralph de Boom
2009-11-10 17:34             ` Ralph de Boom
2009-11-11  8:33               ` Richard Horton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AF17E57.2060206@deboom.biz \
    --to=lkml@deboom.biz \
    --cc=kaber@trash.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.