From: Patrick McHardy <kaber@trash.net>
To: Mario 'BitKoenig' Holbe <Mario.Holbe@TU-Ilmenau.DE>,
netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: netfilter: marking IPv6 packets sends them to the wrong interface
Date: Mon, 24 Jan 2011 14:46:57 +0100 [thread overview]
Message-ID: <4D3D82D1.6050305@trash.net> (raw)
In-Reply-To: <20110123122108.GA30305@darkside.kls.lan>
On 23.01.2011 13:21, Mario 'BitKoenig' Holbe wrote:
> Hello,
>
> I have a strange issue with netfilter MARK on IPv6 which I cannot
> explain and which I believe to be a kernel bug:
> If I mark outgoing IPv6 packets they appear to be transmitted via the
> wrong physical interface. At least multicast packets - at least some of
> them.
>
> I'm running a Linux-based router with two local interfaces and radvd
> advertises stateless autoconfiguration information on them.
> If I mark all outgoing IPv6 packets, after some time all hosts on both
> subnets appear to be autoconfigured for both subnets, i.e. they all have
> two IPv6 addresses - one of each subnet and two default routes - one for
> each router interface. Of course, only one of them really works on each
> host.
>
> The gateway does pretty normal routing, no routing policies,
> particularly no fwmark rules, does no bridging or something like that.
> The network interfaces are Intel driven by e100.
>
> The following debug session is done with a 2.6.32 kernel, the condensed
> packet information originates from tcpdump:
>
> Without marking everything runs as it should be.
> Marking eth0 packets results in all advertisements transmitted via eth1.
> The behaviour goes back to normal as soon as the marking disappears.
> Marking eth1 packets doesn't appear to change the normal behaviour at
> the first glance, but with that I experience hiccups after some time of
> inactivity (i.e. from time to time ping6 from one subnet to the other
> gets no answers for the first 6 to 8 packets).
>
> I also tried marking with 0xff00 instead of 1 - same results.
> I tested this on kernels 2.6.26, 2.6.32, and 2.6.37 - all show the same
> behaviour.
That probably means that we're not using the correct keys
when rerouting in ip6_route_me_harder(). Just for testing,
please try to disable the ip6_route_me_harder() call in
net/ipv6/netfilter/ip6table_mangle.c::ip6t_mangle_out().
next prev parent reply other threads:[~2011-01-24 13:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-23 12:21 netfilter: marking IPv6 packets sends them to the wrong interface Mario 'BitKoenig' Holbe
2011-01-24 13:46 ` Patrick McHardy [this message]
2011-01-24 14:35 ` Mario 'BitKoenig' Holbe
2011-01-24 16:10 ` Patrick McHardy
2011-01-24 17:02 ` Mario 'BitKoenig' Holbe
2011-01-24 17:50 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D3D82D1.6050305@trash.net \
--to=kaber@trash.net \
--cc=Mario.Holbe@TU-Ilmenau.DE \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).