[LARTC] FTP Connection Tracking in a Bridge

[LARTC] FTP Connection Tracking in a Bridge

[Wayne]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

Hello,

I have a box running as a bridge and am trying to track the passive FTP sessions by marking them with iptables (CONNMARK option installed) and then trying to pick up the mark using tc filter fwmark. This is not working.

I have checked the marking of the packets and this is working fine because I can see the marks when I cat /proc/net/ip_conntrack.

Having setup my queues and using the following command:

tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid 1:2a

I do not get any traffic going in to this queue. I am running kernel 2.4.21. 

My question is whether the packet that I have marked is actually every getting to the tc filter. As I am running a bridge, does the packet get marked in iptables PREROUTING, and then go straight to the FORWARD rule and then out.

What is the sequence in which iptables processes the packet and then the tc filter processes the packet.

Many thanks

Wayne

[-- Attachment #2: Type: text/html, Size: 1352 bytes --]

Re: [LARTC] FTP Connection Tracking in a Bridge

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

On Wed, 2003-08-20 at 10:48, Wayne wrote:
> Hello,
> 
> I have a box running as a bridge and am trying to track the passive
> FTP sessions by marking them with iptables (CONNMARK option installed)
> and then trying to pick up the mark using tc filter fwmark. This is
> not working.

Are you setting the mark (std fw mark) ? the connmark is not saved when
leaving  netfilter and reaching the QOS system.

See : http://home.regit.org/connmark.html for details

BR,
-- 
Eric Leblond <eric@regit.org>
Regit.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: [LARTC] FTP Connection Tracking in a Bridge

[S Mohan]

You must use fwmark setting and not connmark.

Mohan
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Wayne
Sent: Wednesday, August 20, 2003 2:18 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] FTP Connection Tracking in a Bridge


Hello,
I have a box running as a bridge and am trying to track the passive FTP
sessions by marking them with iptables (CONNMARK option installed) and then
trying to pick up the mark using tc filter fwmark. This is not working.
I have checked the marking of the packets and this is working fine because I
can see the marks when I cat /proc/net/ip_conntrack.
Having setup my queues and using the following command:
tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
1:2a
I do not get any traffic going in to this queue. I am running kernel 2.4.21.
My question is whether the packet that I have marked is actually every
getting to the tc filter. As I am running a bridge, does the packet get
marked in iptables PREROUTING, and then go straight to the FORWARD rule and
then out.
What is the sequence in which iptables processes the packet and then the tc
filter processes the packet.
Many thanks
Wayne

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] FTP Connection Tracking in a Bridge

[Wayne]

I believe I am using fwmark as below.  Any input would be appreciated:


Here is part of the setup:

iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 21 -t mangle -j
MARK --set-mark 14
iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 80 -t mangle -j
MARK --set-mark 2
iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 3128 -t mangle -j
MARK --set-mark 2
iptables -A PREROUTING -t mangle -j CONNMARK --save-mark

tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
1:2a


Here is part of /proc/net/ip_conntrack showing the packet is getting marked:

tcp      6 431989 ESTABLISHED src\x10.0.1.99 dst\x196.34.2.188 sport\x1838
dport128 src\x196.34.2.188 dst\x10.0.1.99 sport128 dport\x1838 [ASSURED]
use=1 mark=2

Here is part of the QOS class stats show no packets being picked up by the
filter command:

class htb 1:2 parent 1:1001 leaf 2a: prio 0 quantum 1500 rate 22Kbit ceil
120Kbit burst 1627b/8 mpu 0b cburst 1752b/8 mpu 0b level 0
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 473600 ctokens: 93492

Thanks

Wayne

----- Original Message ----- 
From: "S Mohan" <smohan@vsnl.com>
To: "Wayne" <wayne@fengshuifont.com>; <lartc@mailman.ds9a.nl>
Sent: Wednesday, August 20, 2003 12:00 PM
Subject: RE: [LARTC] FTP Connection Tracking in a Bridge


> You must use fwmark setting and not connmark.
>
> Mohan
> -----Original Message-----
> From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
> Behalf Of Wayne
> Sent: Wednesday, August 20, 2003 2:18 PM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] FTP Connection Tracking in a Bridge
>
>
> Hello,
> I have a box running as a bridge and am trying to track the passive FTP
> sessions by marking them with iptables (CONNMARK option installed) and
then
> trying to pick up the mark using tc filter fwmark. This is not working.
> I have checked the marking of the packets and this is working fine because
I
> can see the marks when I cat /proc/net/ip_conntrack.
> Having setup my queues and using the following command:
> tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> 1:2a
> I do not get any traffic going in to this queue. I am running kernel
2.4.21.
> My question is whether the packet that I have marked is actually every
> getting to the tc filter. As I am running a bridge, does the packet get
> marked in iptables PREROUTING, and then go straight to the FORWARD rule
and
> then out.
> What is the sequence in which iptables processes the packet and then the
tc
> filter processes the packet.
> Many thanks
> Wayne
>
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] FTP Connection Tracking in a Bridge

[Stef Coene]

On Wednesday 20 August 2003 12:06, Wayne wrote:
> I believe I am using fwmark as below.  Any input would be appreciated:
>
>
> Here is part of the setup:
>
> iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
> iptables -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
> iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 21 -t mangle -j
> MARK --set-mark 14
> iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 80 -t mangle -j
> MARK --set-mark 2
> iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 3128 -t mangle -j
> MARK --set-mark 2
> iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
>
> tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> 1:2a
>
>
> Here is part of /proc/net/ip_conntrack showing the packet is getting
> marked:
>
> tcp      6 431989 ESTABLISHED src\x10.0.1.99 dst\x196.34.2.188 sport\x1838
> dport128 src\x196.34.2.188 dst\x10.0.1.99 sport128 dport\x1838 [ASSURED]
> use=1 mark=2
>
> Here is part of the QOS class stats show no packets being picked up by the
> filter command:
>
> class htb 1:2 parent 1:1001 leaf 2a: prio 0 quantum 1500 rate 22Kbit ceil
> 120Kbit burst 1627b/8 mpu 0b cburst 1752b/8 mpu 0b level 0
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>  lended: 0 borrowed: 0 giants: 0
>  tokens: 473600 ctokens: 93492
>
> Thanks
Can you also post your filter rules ?

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] FTP Connection Tracking in a Bridge

[Stef Coene]

On Wednesday 20 August 2003 10:48, Wayne wrote:
> Hello,
>
> I have a box running as a bridge and am trying to track the passive FTP
> sessions by marking them with iptables (CONNMARK option installed) and then
> trying to pick up the mark using tc filter fwmark. This is not working.
>
> I have checked the marking of the packets and this is working fine because
> I can see the marks when I cat /proc/net/ip_conntrack.
>
> Having setup my queues and using the following command:
>
> tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> 1:2a
>
> I do not get any traffic going in to this queue. I am running kernel
> 2.4.21.
>
> My question is whether the packet that I have marked is actually every
> getting to the tc filter. As I am running a bridge, does the packet get
> marked in iptables PREROUTING, and then go straight to the FORWARD rule and
> then out.
>
> What is the sequence in which iptables processes the packet and then the tc
> filter processes the packet.
>
> Many thanks
Just wondering, can you really use iptables on a bridge?  I thought you have 
to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] FTP Connection Tracking in a Bridge

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 409 bytes --]

On Wed, 2003-08-20 at 14:26, Stef Coene wrote:
> On Wednesday 20 August 2003 10:48, Wayne wrote:
> > Hello,

> Just wondering, can you really use iptables on a bridge?  I thought you have 
> to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html

There's also a patch that brings a few change and enable filtering with
iptables.

BR,
-- 
Eric Leblond <eric@regit.org>
Regit.org

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [LARTC] FTP Connection Tracking in a Bridge

[Wayne]

I have applied the patch to IPTABLES which allows me to use it on a bridge.
The iptables rules are working as I am using it for other things as well.
If you do not have the patch applied, you get an error message when trying
to run IPTABLES.

The one filter rule I am using is as follows:

tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
1:2a

I have the browsing match into the IPTABLES as it is a simpler one to check
if it is working before I try the FTP connection tracking portion.

Thanks

Wayne


----- Original Message ----- 
From: "Stef Coene" <stef.coene@docum.org>
To: "Wayne" <wayne@fengshuifont.com>; <lartc@mailman.ds9a.nl>
Sent: Wednesday, August 20, 2003 2:26 PM
Subject: Re: [LARTC] FTP Connection Tracking in a Bridge


> On Wednesday 20 August 2003 10:48, Wayne wrote:
> > Hello,
> >
> > I have a box running as a bridge and am trying to track the passive FTP
> > sessions by marking them with iptables (CONNMARK option installed) and
then
> > trying to pick up the mark using tc filter fwmark. This is not working.
> >
> > I have checked the marking of the packets and this is working fine
because
> > I can see the marks when I cat /proc/net/ip_conntrack.
> >
> > Having setup my queues and using the following command:
> >
> > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> > 1:2a
> >
> > I do not get any traffic going in to this queue. I am running kernel
> > 2.4.21.
> >
> > My question is whether the packet that I have marked is actually every
> > getting to the tc filter. As I am running a bridge, does the packet get
> > marked in iptables PREROUTING, and then go straight to the FORWARD rule
and
> > then out.
> >
> > What is the sequence in which iptables processes the packet and then the
tc
> > filter processes the packet.
> >
> > Many thanks
> Just wondering, can you really use iptables on a bridge?  I thought you
have
> to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html
>
> Stef
>
> -- 
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] FTP Connection Tracking in a Bridge

[S Mohan]

Doh. So dumb of me. I have documented this but this skipped my attention.
Thanks Staf. AFAIK, in a bridged mode, only the FORWARD table is processed.
The packet does not traverse any other traditional netfilter table. This is
the reason for the existence of ebtables. ebtables provides all these tables
within its realm.

Mohan

-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On
Behalf Of Stef Coene
Sent: Wednesday, August 20, 2003 5:57 PM
To: Wayne; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] FTP Connection Tracking in a Bridge


On Wednesday 20 August 2003 10:48, Wayne wrote:
> Hello,
>
> I have a box running as a bridge and am trying to track the passive FTP
> sessions by marking them with iptables (CONNMARK option installed) and
then
> trying to pick up the mark using tc filter fwmark. This is not working.
>
> I have checked the marking of the packets and this is working fine because
> I can see the marks when I cat /proc/net/ip_conntrack.
>
> Having setup my queues and using the following command:
>
> tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> 1:2a
>
> I do not get any traffic going in to this queue. I am running kernel
> 2.4.21.
>
> My question is whether the packet that I have marked is actually every
> getting to the tc filter. As I am running a bridge, does the packet get
> marked in iptables PREROUTING, and then go straight to the FORWARD rule
and
> then out.
>
> What is the sequence in which iptables processes the packet and then the
tc
> filter processes the packet.
>
> Many thanks
Just wondering, can you really use iptables on a bridge?  I thought you have
to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html

Stef

--

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] FTP Connection Tracking in a Bridge

[Stef Coene]

On Wednesday 20 August 2003 14:39, Wayne wrote:
> I have applied the patch to IPTABLES which allows me to use it on a bridge.
> The iptables rules are working as I am using it for other things as well.
> If you do not have the patch applied, you get an error message when trying
> to run IPTABLES.
>
> The one filter rule I am using is as follows:
>
> tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> 1:2a
>
> I have the browsing match into the IPTABLES as it is a simpler one to check
> if it is working before I try the FTP connection tracking portion.
You need more filter statements.  You have parent 1:2 but how is traffic 
redirected to this class ???

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] FTP Connection Tracking in a Bridge

[Wayne]

Sorted.  The problem was related to one of the filter statements.
Interesting how we alwayts overlook the simple explanations as to why
something does not work.

Thanks for all the help.

Wayne

----- Original Message ----- 
From: "Stef Coene" <stef.coene@docum.org>
To: "Wayne" <wayne@fengshuifont.com>; <lartc@mailman.ds9a.nl>
Sent: Wednesday, August 20, 2003 5:17 PM
Subject: Re: [LARTC] FTP Connection Tracking in a Bridge


> On Wednesday 20 August 2003 14:39, Wayne wrote:
> > I have applied the patch to IPTABLES which allows me to use it on a
bridge.
> > The iptables rules are working as I am using it for other things as
well.
> > If you do not have the patch applied, you get an error message when
trying
> > to run IPTABLES.
> >
> > The one filter rule I am using is as follows:
> >
> > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> > 1:2a
> >
> > I have the browsing match into the IPTABLES as it is a simpler one to
check
> > if it is working before I try the FTP connection tracking portion.
> You need more filter statements.  You have parent 1:2 but how is traffic
> redirected to this class ???
>
> Stef
>
> -- 
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] FTP Connection Tracking in a Bridge

[Bart De Schuymer]

On Wednesday 20 August 2003 15:14, S Mohan wrote:
> Doh. So dumb of me. I have documented this but this skipped my attention.
> Thanks Staf. AFAIK, in a bridged mode, only the FORWARD table is processed.
> The packet does not traverse any other traditional netfilter table. This is
> the reason for the existence of ebtables. ebtables provides all these
> tables within its realm.

Just for the record, as I'm the maintainer of ebtables and the bridge-nf code 
I can safely say that these statements above are not correct.
ebtables is there to filter on non-IP stuff, more specifically the Ethernet 
header. In 2.6 or in a patched (with the bridge-nf patch) 2.4 kernel, the 
PREROUTING/FORWARD/POSTROUTING iptables chains see bridged traffic. This is 
therefore different than the behaviour with the old patch vs 2.2 for 
ipchains.
Anyone interested can go to ebtables.sourceforge.net, the working of iptables 
on a bridge is explained there in detail.
Please update your documentation.

cheers,
Bart

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/