From: Patrick McHardy <kaber@trash.net>
To: Mario 'BitKoenig' Holbe <Mario.Holbe@TU-Ilmenau.DE>,
netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: netfilter: marking IPv6 packets sends them to the wrong interface
Date: Mon, 24 Jan 2011 14:46:57 +0100 [thread overview]
Message-ID: <4D3D82D1.6050305@trash.net> (raw)
In-Reply-To: <20110123122108.GA30305@darkside.kls.lan>
On 23.01.2011 13:21, Mario 'BitKoenig' Holbe wrote:
> Hello,
>
> I have a strange issue with netfilter MARK on IPv6 which I cannot
> explain and which I believe to be a kernel bug:
> If I mark outgoing IPv6 packets they appear to be transmitted via the
> wrong physical interface. At least multicast packets - at least some of
> them.
>
> I'm running a Linux-based router with two local interfaces and radvd
> advertises stateless autoconfiguration information on them.
> If I mark all outgoing IPv6 packets, after some time all hosts on both
> subnets appear to be autoconfigured for both subnets, i.e. they all have
> two IPv6 addresses - one of each subnet and two default routes - one for
> each router interface. Of course, only one of them really works on each
> host.
>
> The gateway does pretty normal routing, no routing policies,
> particularly no fwmark rules, does no bridging or something like that.
> The network interfaces are Intel driven by e100.
>
> The following debug session is done with a 2.6.32 kernel, the condensed
> packet information originates from tcpdump:
>
> Without marking everything runs as it should be.
> Marking eth0 packets results in all advertisements transmitted via eth1.
> The behaviour goes back to normal as soon as the marking disappears.
> Marking eth1 packets doesn't appear to change the normal behaviour at
> the first glance, but with that I experience hiccups after some time of
> inactivity (i.e. from time to time ping6 from one subnet to the other
> gets no answers for the first 6 to 8 packets).
>
> I also tried marking with 0xff00 instead of 1 - same results.
> I tested this on kernels 2.6.26, 2.6.32, and 2.6.37 - all show the same
> behaviour.
That probably means that we're not using the correct keys
when rerouting in ip6_route_me_harder(). Just for testing,
please try to disable the ip6_route_me_harder() call in
net/ipv6/netfilter/ip6table_mangle.c::ip6t_mangle_out().
next prev parent reply other threads:[~2011-01-24 13:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-23 12:21 netfilter: marking IPv6 packets sends them to the wrong interface Mario 'BitKoenig' Holbe
2011-01-24 13:46 ` Patrick McHardy [this message]
2011-01-24 14:35 ` Mario 'BitKoenig' Holbe
2011-01-24 16:10 ` Patrick McHardy
2011-01-24 17:02 ` Mario 'BitKoenig' Holbe
2011-01-24 17:50 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D3D82D1.6050305@trash.net \
--to=kaber@trash.net \
--cc=Mario.Holbe@TU-Ilmenau.DE \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.