Policy routing with mark not working.

Policy routing with mark not working.

[Andre Kalamandeen]

Hey all im trying to mark packets and use the kernel
routing table to get the packets to go where i want.
The problem that i have with this is that even though
the packets are being marked (I checked using
"iptables -t mangle -vnL") it doesnt seem to be going
through the correct route. I;ve followed this guide : 

http://edseek.com/archives/2006/05/01/configuring-multipath-routing-for-ports-without-balancing/

but all traffic goes through the default route and not
the marked one. 

# ip rule gives:
0: from all lookup local
200: from all fwmark 0x4 lookup 201
32766: from all lookup main
32767: from all lookup default

# ip route show table 201
default via 192.168.77.2 dev eth3

the iptables command i use to mark is:
# iptables -t mangle -A PREROUTING -m string --algo bm
--string "yahoo.com" -j MARK --set-mark 0x4

i've also flushed the route cache,....any help?

Thanks.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Policy routing with mark not working.

[Alexandru Dragoi]

Andre Kalamandeen wrote:

>Hey all im trying to mark packets and use the kernel
>routing table to get the packets to go where i want.
>The problem that i have with this is that even though
>the packets are being marked (I checked using
>"iptables -t mangle -vnL") it doesnt seem to be going
>through the correct route. I;ve followed this guide : 
>
>http://edseek.com/archives/2006/05/01/configuring-multipath-routing-for-ports-without-balancing/
>
>but all traffic goes through the default route and not
>the marked one. 
>
># ip rule gives:
>0: from all lookup local
>200: from all fwmark 0x4 lookup 201
>32766: from all lookup main
>32767: from all lookup default
>
># ip route show table 201
>default via 192.168.77.2 dev eth3
>
>the iptables command i use to mark is:
># iptables -t mangle -A PREROUTING -m string --algo bm
>--string "yahoo.com" -j MARK --set-mark 0x4
>
>i've also flushed the route cache,....any help?
>
>Thanks.
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>  
>
That rule maybe routes only some packets of a connection, not the entire
stream. as a tip, it is good to put some static routes in table 201, like
# ip ro add 182.168.77.0/24 dev eth3 table 201
and so on with all local networks

Re: Policy routing with mark not working.

[Frank]

Also, after much time banging my head against the wall trying to
figure out why my marks were ignored, I discovered that in spite of
what the netfilter packet traversal diagram shows, marks set in
PREROUTING are ignored for packets originating on the box doing the
routing, and the marks need to be set on the OUTPUT chain for that
case (you still need to set the mark on the PREROUTING chain on
packets traveling through the routing server).
  This is with kernel 2.6.16.5 and iptables v1.3.3.

Frank

On 5/10/06, Alexandru Dragoi <alex@zoomnet.ro> wrote:
> Andre Kalamandeen wrote:
>
> >Hey all im trying to mark packets and use the kernel
> >routing table to get the packets to go where i want.
> >The problem that i have with this is that even though
> >the packets are being marked (I checked using
> >"iptables -t mangle -vnL") it doesnt seem to be going
> >through the correct route. I;ve followed this guide :
> >
> >http://edseek.com/archives/2006/05/01/configuring-multipath-routing-for-ports-without-balancing/
> >
> >but all traffic goes through the default route and not
> >the marked one.
> >
> ># ip rule gives:
> >0: from all lookup local
> >200: from all fwmark 0x4 lookup 201
> >32766: from all lookup main
> >32767: from all lookup default
> >
> ># ip route show table 201
> >default via 192.168.77.2 dev eth3
> >
> >the iptables command i use to mark is:
> ># iptables -t mangle -A PREROUTING -m string --algo bm
> >--string "yahoo.com" -j MARK --set-mark 0x4
> >
> >i've also flushed the route cache,....any help?
> >
> >Thanks.
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Tired of spam?  Yahoo! Mail has the best spam protection around
> >http://mail.yahoo.com
> >
> >
> >
> That rule maybe routes only some packets of a connection, not the entire
> stream. as a tip, it is good to put some static routes in table 201, like
> # ip ro add 182.168.77.0/24 dev eth3 table 201
> and so on with all local networks
>
>
>

Re: Policy routing with mark not working.

[Pascal Hambourg]

Hello,

Frank a écrit :
> Also, after much time banging my head against the wall trying to
> figure out why my marks were ignored, I discovered that in spite of
> what the netfilter packet traversal diagram shows, marks set in
> PREROUTING are ignored for packets originating on the box doing the
> routing, and the marks need to be set on the OUTPUT chain for that
> case

"In spite" ? What are you tacking about ? That's exactly what the 
Netfilter diagram shows : locally generated packets don't go through the 
PREROUTING chain - except when sent to (and therefore received back 
from) the loopback interface.

Re: Policy routing with mark not working.

[Andre Kalamandeen]

Hey, i figured out what the problem was, i was passing
all packets through squid, so when it was maked in the
mangle PREROUTING chain, squid removed the marks since
it doesnt support them, but changing the chain to
OUTPUT solved this prob. Thanks to all.

--- Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
wrote:

> Hello,
> 
> Frank a écrit :
> > Also, after much time banging my head against the
> wall trying to
> > figure out why my marks were ignored, I discovered
> that in spite of
> > what the netfilter packet traversal diagram shows,
> marks set in
> > PREROUTING are ignored for packets originating on
> the box doing the
> > routing, and the marks need to be set on the
> OUTPUT chain for that
> > case
> 
> "In spite" ? What are you tacking about ? That's
> exactly what the 
> Netfilter diagram shows : locally generated packets
> don't go through the 
> PREROUTING chain - except when sent to (and
> therefore received back 
> from) the loopback interface.
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Policy routing with mark not working.

[Pascal Hambourg]

Andre Kalamandeen a écrit :
> Hey, i figured out what the problem was, i was passing
> all packets through squid, so when it was maked in the
> mangle PREROUTING chain, squid removed the marks since
> it doesnt support them, but changing the chain to
> OUTPUT solved this prob. Thanks to all.

"squid removed the marks since it doesnt support them" just makes no 
sense ! When using a proxy such as squid, you have two *independent* 
connections. One from the client to the proxy, and one from the proxy to 
the target server. MARKing packets of the former has strictly *no* 
effect on the packets of the latter.

Re: Policy routing with mark not working.

[Frank]

On 5/12/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Frank a écrit :
> > Also, after much time banging my head against the wall trying to
> > figure out why my marks were ignored, I discovered that in spite of
> > what the netfilter packet traversal diagram shows, marks set in
> > PREROUTING are ignored for packets originating on the box doing the
> > routing, and the marks need to be set on the OUTPUT chain for that
> > case
>
> "In spite" ? What are you tacking about ? That's exactly what the
> Netfilter diagram shows : locally generated packets don't go through the
> PREROUTING chain - except when sent to (and therefore received back
> from) the loopback interface.
>
Yes, you are correct about PREROUTING, although there was dual-homed
howto that made no mention of how to handle locally-generated traffic
but just used PREROUTING, and I initially went down that dead-end
That's what I get for taking an example config at face value and not
doing sufficient research.  However, diagrams such as the one at
http://www.docum.org/docum.org/kptd/  show the routing decision made
before the OUTPUT chain, making me believe setting a mark there
wouldn't work.  After further research I discovered that the routing
decision is revisited if the packet is later changed (i.e., a mark
being set in the OUTPUT chain), and that important detail seems to be
left out of the traversal diagrams I've found before now (the one
mentioned above does have some notes below it mentioning the
rerouting, but otherts I found didn't).

Re: Policy routing with mark not working.

[Andre Kalamandeen]

hmm,  im getting a new problem with this,

Just a recap of what im doing :
Setting up linux box with transparent squid and
sending special packets (marked) through a different
gateway.

I have 3 ethernet cards connected (1 for local, 2 for
internet - one being set as default route)


now as i've mentioned before i've used iptables mangle
table (OUTPUT) to do a string match, and marked those
packets with 0x4. i've set up an ip rule and route to
handle the marked packets.

The problem i am having is that marked packets are
going through both the default gateway and the other
gateway (i've checked the logs on both routers)the
result being that the client page is never loaded. 

Any suggestions?


> Yes, you are correct about PREROUTING, although
> there was dual-homed
> howto that made no mention of how to handle
> locally-generated traffic
> but just used PREROUTING, and I initially went down
> that dead-end
> That's what I get for taking an example config at
> face value and not
> doing sufficient research.  However, diagrams such
> as the one at
> http://www.docum.org/docum.org/kptd/  show the
> routing decision made
> before the OUTPUT chain, making me believe setting a
> mark there
> wouldn't work.  After further research I discovered
> that the routing
> decision is revisited if the packet is later changed
> (i.e., a mark
> being set in the OUTPUT chain), and that important
> detail seems to be
> left out of the traversal diagrams I've found before
> now (the one
> mentioned above does have some notes below it
> mentioning the
> rerouting, but otherts I found didn't).
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com