packet marking

Linux Netfilter discussions
 help / color / mirror / Atom feed

* packet marking
@ 2015-03-04 22:04 Bob Miller
  2015-03-05  7:01 ` Michal Kubecek
  2015-03-05 19:44 ` Sebastian Pöhn
  0 siblings, 2 replies; 3+ messages in thread
From: Bob Miller @ 2015-03-04 22:04 UTC (permalink / raw)
  To: netfilter

I have been reading man pages and googling and I am not finding 
understanding.  maybe somebody can explain:

under my mangle table (using iptables-restore to load):

-A PREROUTING -p udp -m udp --dport 4500 -j MARK --set-mark 30
-A PREROUTING -s 192.168.171.0/24 -m mark ! --mark 30 -j MARK --set-mark 40
-A PREROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
-A PREROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40

This logs packets with both marks.

If I change the LOG target to POSTROUTING, like so:

-A POSTROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
-A POSTROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40

only packets with the mark 40 are logged.  I think it should log both.

If I consult the nfpacket flow chart, nat/PREROUTING comes after 
mangle/PREROUTING, and I cannot log packets with a mark of 30 there either.

Traffic keeps flowing, so the packets themselves are not being dropped, 
but the mark apparently is not passed from the initial chain. Everything 
I have read indicates it should be.  what could I have done (or not 
done) to make this happen?  Or better yet, what should I be reading that 
would explain this?  I get the feeling I am overlooking something really 
obvious...
-- 
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: packet marking
  2015-03-04 22:04 packet marking Bob Miller
@ 2015-03-05  7:01 ` Michal Kubecek
  2015-03-05 19:44 ` Sebastian Pöhn
  1 sibling, 0 replies; 3+ messages in thread
From: Michal Kubecek @ 2015-03-05  7:01 UTC (permalink / raw)
  To: Bob Miller; +Cc: netfilter

On Wed, Mar 04, 2015 at 02:04:23PM -0800, Bob Miller wrote:
> I have been reading man pages and googling and I am not finding
> understanding.  maybe somebody can explain:
> 
> under my mangle table (using iptables-restore to load):
> 
> -A PREROUTING -p udp -m udp --dport 4500 -j MARK --set-mark 30
> -A PREROUTING -s 192.168.171.0/24 -m mark ! --mark 30 -j MARK --set-mark 40
> -A PREROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
> -A PREROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40
> 
> This logs packets with both marks.
> 
> If I change the LOG target to POSTROUTING, like so:
> 
> -A POSTROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
> -A POSTROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40
> 
> only packets with the mark 40 are logged.  I think it should log both.
> 
> If I consult the nfpacket flow chart, nat/PREROUTING comes after
> mangle/PREROUTING, and I cannot log packets with a mark of 30 there
> either.
> 
> Traffic keeps flowing, so the packets themselves are not being
> dropped, but the mark apparently is not passed from the initial
> chain. Everything I have read indicates it should be.  what could I
> have done (or not done) to make this happen?  Or better yet, what
> should I be reading that would explain this?  I get the feeling I am
> overlooking something really obvious...

Without seeing a complete set of rules and without knowing what do the
packets look like (and your network configuration), I'm afraid it would
be only a guesswork.

The "vpnX30" log prefix sounds like there is some kind of VPN involved.
So are those packets being sent on really the same packets you mark in
PREROUTING?

                                                        Michal Kubecek


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: packet marking
  2015-03-04 22:04 packet marking Bob Miller
  2015-03-05  7:01 ` Michal Kubecek
@ 2015-03-05 19:44 ` Sebastian Pöhn
  1 sibling, 0 replies; 3+ messages in thread
From: Sebastian Pöhn @ 2015-03-05 19:44 UTC (permalink / raw)
  To: Bob Miller; +Cc: netfilter

Is there a reason to use decimal numbers? 0x1E and 0x28 are quite
complex marks to set. Maybe use 0x30 and 0x40 instead.

Is there any other place where marking is done?

Why not providing us with a full iptables-save output?

On Mi, 2015-03-04 at 14:04 -0800, Bob Miller wrote:
> I have been reading man pages and googling and I am not finding 
> understanding.  maybe somebody can explain:
> 
> under my mangle table (using iptables-restore to load):
> 
> -A PREROUTING -p udp -m udp --dport 4500 -j MARK --set-mark 30
> -A PREROUTING -s 192.168.171.0/24 -m mark ! --mark 30 -j MARK --set-mark 40
> -A PREROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
> -A PREROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40
> 
> This logs packets with both marks.
> 
> If I change the LOG target to POSTROUTING, like so:
> 
> -A POSTROUTING -m mark --mark 30 -j LOG --log-prefix vpnX30
> -A POSTROUTING -m mark --mark 40 -j LOG --log-prefix vpnX40
> 
> only packets with the mark 40 are logged.  I think it should log both.
> 
> If I consult the nfpacket flow chart, nat/PREROUTING comes after 
> mangle/PREROUTING, and I cannot log packets with a mark of 30 there either.
> 
> Traffic keeps flowing, so the packets themselves are not being dropped, 
> but the mark apparently is not passed from the initial chain. Everything 
> I have read indicates it should be.  what could I have done (or not 
> done) to make this happen?  Or better yet, what should I be reading that 
> would explain this?  I get the feeling I am overlooking something really 
> obvious...



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-03-05 19:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-04 22:04 packet marking Bob Miller
2015-03-05  7:01 ` Michal Kubecek
2015-03-05 19:44 ` Sebastian Pöhn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox