From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dennison Williams Subject: MARK not working Date: Thu, 01 Apr 2010 17:35:56 -0700 Message-ID: <4BB53BEC.9010709@gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:x-enigmail-version:content-type :content-transfer-encoding; bh=ja/Zacx3JrrNoZbdrQ4eiEn/5z0GpLRrlD7o/NgWAcg=; b=u5utOO4cumR7JN1435gBGTaxBrm3RaK0cKfgSVM7U2izzJGax8IaxbzcNyt/QSzndJ 0bOiwq8KXS05Z1M1m9M6/smYjr1Npp0KUVYSGKfDR95otksH82eolLmlImnBm9MtVpig bOQA4FcljkrCZv8RKo0CRXvor/vAeXrjN/wRo= Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: netfilter@vger.kernel.org Hello, I am having a problem receiving marked packets from the mangle table in my filter table. I have: iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 4500 -j MARK --set-mark 1 iptables -t filter -A INPUT -m mark --mark 1 -j LOG --log-prefix ipsec_nat_t iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT iptables -t filter -A INPUT -j LOG iptables -t filter -A INPUT -j REJECT I see that the packets are correctly getting marked in the mangle table, but then it bypasses the log and accept rules eventually getting logged and rejected. I have trimmed the ruleset down a fair amount to try and find the problem but I can't seem to get to the cause. While I have seen a fair amount of this subject on the mailing list I have not found anything that seems relevant to this issue. All feedback is appreciated. More details below. Sincerely, DennisonWilliams Kernel: 2.6.26-2-486 Distro: Debian 5.0.4 Iptables version: v1.4.2 iptables-save output: # Generated by iptables-save v1.4.2 on Thu Apr 1 17:27:16 2010 *nat :PREROUTING ACCEPT [67:12256] :POSTROUTING ACCEPT [106:6673] :OUTPUT ACCEPT [106:6673] -A POSTROUTING -s 10.66.6.0/24 -d ! 10.66.7.0/24 -o eth1 -j MASQUERADE COMMIT # Completed on Thu Apr 1 17:27:16 2010 # Generated by iptables-save v1.4.2 on Thu Apr 1 17:27:16 2010 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [617:152871] :OUTPUT ACCEPT [1282:293981] :Accounting - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth2 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -p esp -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT -A INPUT -m mark --mark 0x1 -j LOG --log-prefix "ipsec_nat_t" -A INPUT -m mark --mark 0x1 -j ACCEPT -A INPUT -j LOG -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Thu Apr 1 17:27:16 2010 # Generated by iptables-save v1.4.2 on Thu Apr 1 17:27:16 2010 *mangle :PREROUTING ACCEPT [2504:776880] :INPUT ACCEPT [1548:605475] :FORWARD ACCEPT [956:171405] :OUTPUT ACCEPT [1285:295001] :POSTROUTING ACCEPT [2241:466406] -A PREROUTING -i eth1 -p udp -m udp --dport 4500 -j MARK --set-xmark 0x1/0xffffffff COMMIT # Completed on Thu Apr 1 17:27:16 2010