esp mark not working

esp mark not working

[Lewis Shobbrook]

Hi all,

Much to my surprise, I've not been able to mark esp packets in the mangle table.
Although esp packets are traversing as they should, the iptables counters are unmoved from zero and as you'd expect rules applied against the mark fail also.

I've tried with ubuntu 2.6.24 & 2.6.27 kernels as well as a debian 2.6.26 all seem to suffer the same problem, all different machines.
Non esp packets mark no problem.

I don't seem to be able to google anyone else having this problem, so I'm hoping someone can help point out where I'm going wrong.

iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 0x1
with a couple of manual module loads upon apparent failure of the automatic module loading ...
cat /proc/net/ip_tables_targets 
SECMARK
CONNMARK
CONNMARK
DNAT
SNAT
MARK
MARK
MARK
ERROR

On another ....
cat /proc/net/ip_tables_targets
TCPMSS
LOG
REJECT
DNAT
SNAT
ERROR
REDIRECT
ECN
SECMARK
TRACE
NFQUEUE
NFLOG
DSCP
CONNSECMARK
MARK
MARK
CONNMARK
CLASSIFY
NETMAP
MASQUERADE
TOS
I've tried manually loading every possible netfilter module and googled endlessly.
Seems I'm missing something or it is broken.
Can anyone let me in on this?

Cheers,

Lew

Re: esp mark not working

[Patrick McHardy]

Lewis Shobbrook wrote:
> Hi all,
> 
> Much to my surprise, I've not been able to mark esp packets in the mangle table.
> Although esp packets are traversing as they should, the iptables counters are unmoved from zero and as you'd expect rules applied against the mark fail also.

That indicates a problem in the matching rules, the counters are
unaffected by the target. I'd suggest to use the TRACE target to
figure out what is happening.