Re: iptables CLASSIFY and MARK not working?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Have you checked that the ip_conntrack module is loaded or compiled into the kernel? 
If not the mark is lost...

Cheers,
Andreas

Eliot, Wireless and Server Administrator, Great Lakes Internet schrieb:

I have to match my packets based on MAC address, which I cannot do in
the POSTROUTING chain, so I do it in PREROUTING using MARK. Then, I
match on the MARK in the POSTROUTING chain to do a CLASSIFY. But this
does not seem to work:

wireless-r1 bwlimit # iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 3353K packets, 941M bytes)
 pkts bytes target     prot opt in     out     source
destination
12527   11M CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           CONNMARK restore
 3227  130K MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           MAC 00:05:9E:81:3D:07 MARK set 0x30
 3231  132K CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x30 CONNMARK save
    0     0 MARK       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           MAC 00:05:9E:81:3D:07 multiport ports
53,4569,5060,10000:20000 MARK set 0x2f
    0     0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           MAC 00:05:9E:81:3D:07 multiport ports 22,23,53 MARK
set 0x2f
    3   180 MARK       icmp --  *      *       0.0.0.0/0
0.0.0.0/0           MAC 00:05:9E:81:3D:07 MARK set 0x2f
 3222  129K MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp flags:0x18/0x10 MAC 00:05:9E:81:3D:07 MARK set
0x2f
    0     0 MARK       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp dpt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f
    0     0 MARK       udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp spt:53 MAC 00:05:9E:81:3D:07 MARK set 0x2f
10272   10M CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x2f CONNMARK save
    0     0 MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           MAC 00:05:9E:81:3D:07 ipp2p v0.8.0 --ipp2p MARK set
0x31
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x31 CONNMARK save

Chain INPUT (policy ACCEPT 1177K packets, 165M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 1157K packets, 703M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 535K packets, 95M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 1613K packets, 790M bytes)
 pkts bytes target     prot opt in     out     source
destination
 3225  129K CLASSIFY   all  --  *      br1     0.0.0.0/0
0.0.0.0/0           MARK match 0x2f CLASSIFY set 47:1
    2   506 CLASSIFY   all  --  *      br1     0.0.0.0/0
0.0.0.0/0           MARK match 0x30 CLASSIFY set 48:1
    0     0 CLASSIFY   all  --  *      br1     0.0.0.0/0
0.0.0.0/0           MARK match 0x31 CLASSIFY set 49:1
 6352 9321K CLASSIFY   all  --  *      wivl4   0.0.0.0/0
0.0.0.0/0           MARK match 0x2f CLASSIFY set 47:1
    4  1932 CLASSIFY   all  --  *      wivl4   0.0.0.0/0
0.0.0.0/0           MARK match 0x30 CLASSIFY set 48:1
    0     0 CLASSIFY   all  --  *      wivl4   0.0.0.0/0
0.0.0.0/0           MARK match 0x31 CLASSIFY set 49:1

wireless-r1 bwlimit # tc -s qdisc show dev wivl4
qdisc prio 5: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 11887911 bytes 8179 pkt (dropped 878, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 26: parent 5:1 r2q 10 default 1 direct_packets_stat 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 27: parent 5:2 r2q 10 default 1 direct_packets_stat 0
 Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 28: parent 5:3 r2q 10 default 1 direct_packets_stat 0
 Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 47: parent 26:1 r2q 10 default 1 direct_packets_stat 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 48: parent 27:1 r2q 10 default 1 direct_packets_stat 0
 Sent 10657 bytes 162 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 49: parent 28:1 r2q 10 default 1 direct_packets_stat 0
 Sent 11877254 bytes 8017 pkt (dropped 878, overlimits 1120 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

wireless-r1 bwlimit # tc -s class show dev wivl4
class prio 5:1 parent 5: leaf 26:

class prio 5:2 parent 5: leaf 27:

class prio 5:3 parent 5: leaf 28:

class htb 26:1 root leaf 47: prio 0 rate 30000Kbit ceil 30000Kbit burst
16593b cburst 16593b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 4532 ctokens: 4532

class htb 27:1 root leaf 48: prio 0 rate 60000Kbit ceil 60000Kbit burst
31590b cburst 31590b
 Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0)
 rate 624bit 1pps backlog 0b 0p requeues 0
 lended: 790 borrowed: 0 giants: 0
 tokens: 4306 ctokens: 4306

class htb 28:1 root leaf 49: prio 0 rate 10000Kbit ceil 10000Kbit burst
6598b cburst 6598b
 Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 11178 borrowed: 0 giants: 0
 tokens: 5368 ctokens: 5368

class htb 47:1 root prio 1 rate 80000bit ceil 128000bit burst 125Kb
cburst 8000b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 13107200 ctokens: 512000

class htb 48:1 root prio 2 rate 2048Kbit ceil 3072Kbit burst 3000Kb
cburst 192000b
 Sent 54187 bytes 790 pkt (dropped 0, overlimits 0 requeues 0)
 rate 624bit 1pps backlog 0b 0p requeues 0
 lended: 790 borrowed: 0 giants: 0
 tokens: 12287744 ctokens: 511831

class htb 49:1 root prio 3 rate 960000bit ceil 960000bit burst 960000b
cburst 60000b
 Sent 16539369 bytes 11178 pkt (dropped 1160, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 11178 borrowed: 0 giants: 0
 tokens: 8191591 ctokens: 511591


In the iptables rules, you'll see that the bulk of the traffic I'm
sending through is getting marked with 0x2f (47 decimal). In the
POSTROUTING chain, it is being classified as 47:1. In fact, nothing at
all is getting classified as 49:1. But, in the TC class and qdisc
displays, everything is coming up under the 49:1 instead of the 47:1.
What happened? Either I have some weird typo I'm not seeing, or this is
just not working the way I'm expecting it to. Anyone have any thoughts
on this?

Thanks.
Eliot Gable 
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and Systems Administrator
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324
Now offering Broadband Wireless Internet access in Croswell, Lexington, 
Brown City, Yale, and Sandusky. Call for details.

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux