verifying set-mark

verifying set-mark

[Casey Scott]

How can I detemine whether or not a iptables set-mark operation 
is working? iptables -t mangle -nvL shows packets matching the 
rules with the set-mark. However, with a tcpdump -vvv -i <interface>
I can not see the mark. I am looking at the tos field, and I 
don't see a tos field matching the marks I am trying to set.


Thanks, 
Casey

RE: verifying set-mark

[Rob Sterenborg]

> How can I detemine whether or not a iptables set-mark operation
> is working? iptables -t mangle -nvL shows packets matching the
> rules with the set-mark. However, with a tcpdump -vvv -i
> <interface>
> I can not see the mark. I am looking at the tos field, and I
> don't see a tos field matching the marks I am trying to set.

Did you try to match the mark in a subsequent rule and LOG the packet when the rule hits?
See also man iptables:

mark
This module matches the netfilter mark field associated with a packet (which can be set using the  MARK  target below).
--mark value[/mask] Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison).


Grts,
Rob

Re: verifying set-mark

[Casey Scott]

Good suggestion. Tried just tried that. Traffic gets logged, but 
the mark is not set. E.g. (from dump)

Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4397 
DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0

Feb 22 12:50:52 tomcat kernel: IN=eth0 OUT=eth1 SRC=192.168.1.7 
DST=66.93.87.2 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=18031 DF 
PROTO=TCP SPT=4322 DPT=80 WINDOW=64240 RES=0x00 ACK URGP=0

Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4398 
DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0


Notice all the TOS is still 0x00. I am setting marks to 3 or 4 
depending on traffic type.

Casey

----- "Rob Sterenborg" <rob@sterenborg.info> wrote:

> > How can I detemine whether or not a iptables set-mark operation
> > is working? iptables -t mangle -nvL shows packets matching the
> > rules with the set-mark. However, with a tcpdump -vvv -i
> > <interface>
> > I can not see the mark. I am looking at the tos field, and I
> > don't see a tos field matching the marks I am trying to set.
> 
> Did you try to match the mark in a subsequent rule and LOG the packet
> when the rule hits?
> See also man iptables:
> 
> mark
> This module matches the netfilter mark field associated with a packet
> (which can be set using the  MARK  target below).
> --mark value[/mask] Matches packets with the given unsigned mark value
> (if a mask is specified, this is logically ANDed with the mask before
> the comparison).
> 
> 
> Grts,
> Rob
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: verifying set-mark

[Matt Zagrabelny]

[-- Attachment #1: Type: text/plain, Size: 2639 bytes --]


On Fri, 2008-02-22 at 12:53 -0800, Casey Scott wrote:
> Good suggestion. Tried just tried that. Traffic gets logged, but 
> the mark is not set. E.g. (from dump)
> 
> Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
> DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4397 
> DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0
> 
> Feb 22 12:50:52 tomcat kernel: IN=eth0 OUT=eth1 SRC=192.168.1.7 
> DST=66.93.87.2 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=18031 DF 
> PROTO=TCP SPT=4322 DPT=80 WINDOW=64240 RES=0x00 ACK URGP=0
> 
> Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
> DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4398 
> DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0
> 
> 
> Notice all the TOS is still 0x00. I am setting marks to 3 or 4 
> depending on traffic type.

AFAIK, setting TOS is not the same as marking. [goes to check]
The man page confirms that.

> Casey
> 
> ----- "Rob Sterenborg" <rob@sterenborg.info> wrote:
> 
> > > How can I detemine whether or not a iptables set-mark operation
> > > is working? iptables -t mangle -nvL shows packets matching the
> > > rules with the set-mark. However, with a tcpdump -vvv -i
> > > <interface>
> > > I can not see the mark. I am looking at the tos field, and I
> > > don't see a tos field matching the marks I am trying to set.
> > 
> > Did you try to match the mark in a subsequent rule and LOG the packet
> > when the rule hits?
> > See also man iptables:
> > 
> > mark
> > This module matches the netfilter mark field associated with a packet
> > (which can be set using the  MARK  target below).
> > --mark value[/mask] Matches packets with the given unsigned mark value
> > (if a mask is specified, this is logically ANDed with the mask before
> > the comparison).
> > 
> > 
> > Grts,
> > Rob
> > 
> > 
> > -
> > To unsubscribe from this list: send the line "unsubscribe netfilter"
> > in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: verifying set-mark

[Casey Scott]

Ultimately, I am trying to mark packets for a tc filter. Should I
not be using the iptables set-mark to do that?

Casey

----- "Matt Zagrabelny" <mzagrabe@d.umn.edu> wrote:

> On Fri, 2008-02-22 at 12:53 -0800, Casey Scott wrote:
> > Good suggestion. Tried just tried that. Traffic gets logged, but 
> > the mark is not set. E.g. (from dump)
> > 
> > Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
> > DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4397 
> > DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0
> > 
> > Feb 22 12:50:52 tomcat kernel: IN=eth0 OUT=eth1 SRC=192.168.1.7 
> > DST=66.93.87.2 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=18031 DF 
> > PROTO=TCP SPT=4322 DPT=80 WINDOW=64240 RES=0x00 ACK URGP=0
> > 
> > Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
> > DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4398 
> > DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0
> > 
> > 
> > Notice all the TOS is still 0x00. I am setting marks to 3 or 4 
> > depending on traffic type.
> 
> AFAIK, setting TOS is not the same as marking. [goes to check]
> The man page confirms that.
> 
> > Casey
> > 
> > ----- "Rob Sterenborg" <rob@sterenborg.info> wrote:
> > 
> > > > How can I detemine whether or not a iptables set-mark operation
> > > > is working? iptables -t mangle -nvL shows packets matching the
> > > > rules with the set-mark. However, with a tcpdump -vvv -i
> > > > <interface>
> > > > I can not see the mark. I am looking at the tos field, and I
> > > > don't see a tos field matching the marks I am trying to set.
> > > 
> > > Did you try to match the mark in a subsequent rule and LOG the
> packet
> > > when the rule hits?
> > > See also man iptables:
> > > 
> > > mark
> > > This module matches the netfilter mark field associated with a
> packet
> > > (which can be set using the  MARK  target below).
> > > --mark value[/mask] Matches packets with the given unsigned mark
> value
> > > (if a mask is specified, this is logically ANDed with the mask
> before
> > > the comparison).
> > > 
> > > 
> > > Grts,
> > > Rob
> > > 
> > > 
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe
> netfilter"
> > > in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at 
> http://vger.kernel.org/majordomo-info.html
> > -
> > To unsubscribe from this list: send the line "unsubscribe netfilter"
> in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> -- 
> Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
> University of Minnesota Duluth
> Information Technology Systems & Services
> PGP key 1024D/84E22DA2 2005-11-07
> Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2
> 
> He is not a fool who gives up what he cannot keep to gain what he
> cannot
> lose.
> -Jim Elliot

Re: verifying set-mark

[Matt Zagrabelny]

[-- Attachment #1: Type: text/plain, Size: 4149 bytes --]


On Fri, 2008-02-22 at 14:40 -0800, Casey Scott wrote:
> Ultimately, I am trying to mark packets for a tc filter. Should I
> not be using the iptables set-mark to do that?

I think set-mark is fine for that.

I suggest marking some packets in the prerouting chain and then logging
them in input chain. Something like the following:

$iptables --table mangle --append PREROUTING
--in-interface $in_interface
--destination $host --jump MARK --set-mark $mark_integer

$iptables --table filter --append INPUT
--in-interface $in_interface
--match mark --mark $mark_integer --jump LOG

> 
> ----- "Matt Zagrabelny" <mzagrabe@d.umn.edu> wrote:
> 
> > On Fri, 2008-02-22 at 12:53 -0800, Casey Scott wrote:
> > > Good suggestion. Tried just tried that. Traffic gets logged, but 
> > > the mark is not set. E.g. (from dump)
> > > 
> > > Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
> > > DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4397 
> > > DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0
> > > 
> > > Feb 22 12:50:52 tomcat kernel: IN=eth0 OUT=eth1 SRC=192.168.1.7 
> > > DST=66.93.87.2 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=18031 DF 
> > > PROTO=TCP SPT=4322 DPT=80 WINDOW=64240 RES=0x00 ACK URGP=0
> > > 
> > > Feb 22 12:50:52 tomcat kernel: IN= OUT=eth0 SRC=66.93.87.2 
> > > DST=192.168.1.7 LEN=1500 TOS=0x00 PREC=0x20 TTL=54 ID=4398 
> > > DF PROTO=TCP SPT=80 DPT=4322 WINDOW=17520 RES=0x00 ACK URGP=0
> > > 
> > > 
> > > Notice all the TOS is still 0x00. I am setting marks to 3 or 4 
> > > depending on traffic type.
> > 
> > AFAIK, setting TOS is not the same as marking. [goes to check]
> > The man page confirms that.
> > 
> > > Casey
> > > 
> > > ----- "Rob Sterenborg" <rob@sterenborg.info> wrote:
> > > 
> > > > > How can I detemine whether or not a iptables set-mark operation
> > > > > is working? iptables -t mangle -nvL shows packets matching the
> > > > > rules with the set-mark. However, with a tcpdump -vvv -i
> > > > > <interface>
> > > > > I can not see the mark. I am looking at the tos field, and I
> > > > > don't see a tos field matching the marks I am trying to set.
> > > > 
> > > > Did you try to match the mark in a subsequent rule and LOG the
> > packet
> > > > when the rule hits?
> > > > See also man iptables:
> > > > 
> > > > mark
> > > > This module matches the netfilter mark field associated with a
> > packet
> > > > (which can be set using the  MARK  target below).
> > > > --mark value[/mask] Matches packets with the given unsigned mark
> > value
> > > > (if a mask is specified, this is logically ANDed with the mask
> > before
> > > > the comparison).
> > > > 
> > > > 
> > > > Grts,
> > > > Rob
> > > > 
> > > > 
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe
> > netfilter"
> > > > in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at 
> > http://vger.kernel.org/majordomo-info.html
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe netfilter"
> > in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > -- 
> > Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
> > University of Minnesota Duluth
> > Information Technology Systems & Services
> > PGP key 1024D/84E22DA2 2005-11-07
> > Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2
> > 
> > He is not a fool who gives up what he cannot keep to gain what he
> > cannot
> > lose.
> > -Jim Elliot
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: verifying set-mark

[Casey Scott]

Is there a way with tcpdump to verify that the marks are actually
getting set though?

Casey

----- "Matt Zagrabelny" <mzagrabe@d.umn.edu> wrote:

> On Fri, 2008-02-22 at 14:40 -0800, Casey Scott wrote:
> > Ultimately, I am trying to mark packets for a tc filter. Should I
> > not be using the iptables set-mark to do that?
> 
> I think set-mark is fine for that.
> 
> I suggest marking some packets in the prerouting chain and then
> logging
> them in input chain. Something like the following:
> 
> $iptables --table mangle --append PREROUTING
> --in-interface $in_interface
> --destination $host --jump MARK --set-mark $mark_integer
> 
> $iptables --table filter --append INPUT
> --in-interface $in_interface
> --match mark --mark $mark_integer --jump LOG
> 
> > 

RE: verifying set-mark

[Rob Sterenborg]

> Is there a way with tcpdump to verify that the marks are actually
> getting set though?

However, I was under the impression that tc is able to use the flags set by iptables.

Man tc:

tc filters
If  tc  filters are attached to a class, they are consulted first for relevant instructions. Filters can match on all fields of a packet header, as well as on the firewall mark applied by ipchains or iptables.
See tc-filters(8).

Now, I don't seem to have a man page for tc-filters, I can't find it on the internet, nor can I find it in the source (I looked in iproute2-2.6.19-061214), so I'm afraid nobody's got it which makes this a dead end.

There surely must be examples around that show how to work with tc and iptables' mark. Perhaps this will get you going: http://www.szabilinux.hu/bandwidth/index.html


Grts,
Rob

Re: verifying set-mark

[Casey Scott]

> Now, I don't seem to have a man page for tc-filters, I can't find it
> on the internet, nor can I find it in the source (I looked in
> iproute2-2.6.19-061214), so I'm afraid nobody's got it which makes
> this a dead end.
> 
> There surely must be examples around that show how to work with tc and
> iptables' mark. Perhaps this will get you going:
> http://www.szabilinux.hu/bandwidth/index.html

Thanks for that link. I realized that I was marking on 
POSTROUTING rather than FORWARD. The correction solved the problem
of throttling, however, I'd still like to know how to use tcpdump to 
verify the mark is being set.

Thanks,
Casey

> 
> 
> Grts,
> Rob
> 
> 

Re: verifying set-mark

[Martijn Lievaart]

Casey Scott wrote:
> Thanks for that link. I realized that I was marking on 
> POSTROUTING rather than FORWARD. The correction solved the problem
> of throttling, however, I'd still like to know how to use tcpdump to 
> verify the mark is being set.
>   


You cannot. The mark is a kernel internal thingy. Tcpdump sees the 
packets "on the wire", the mask is long gone by that time.

HTH,
M4

Re: verifying set-mark

[Casey Scott]

> > Thanks for that link. I realized that I was marking on 
> > POSTROUTING rather than FORWARD. The correction solved the problem
> > of throttling, however, I'd still like to know how to use tcpdump to
> 
> > verify the mark is being set.
> >   
> 
> 
> You cannot. The mark is a kernel internal thingy. Tcpdump sees the 
> packets "on the wire", the mask is long gone by that time.
> 
> HTH,
> M4

That explains a lot! Thanks.

Casey