Re: bridge tc fw filter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

i can see this bug in 2.6.22.18 but not in 2.6.26.8 ....any clue is
greatly appreciated ///

On Thu, Aug 20, 2009 at 9:01 PM, ratheesh k<ratheesh.ksz@xxxxxxxxx> wrote:
> I have two interfaces , eth0 and ap0 bridged together to form br0 .
> And another interfaces eth1 on wan side .
>
>
>                  br0 <------------------------> eth1
>              ( eth0 , ap0)
>                {  lan  }                         {wan}
>
> packets from lan side are nated  to eth1 .  i have qos rules on both
> br0 and eth1 .  when i googled i found that "mangling packets on br0
> and using fw filters wont work on linux bridge ".. Is this true ?? Can
> you tell me why ??
>
> But the funny thing is i colored packets  in prerouting chain  only
> specifying protocol ( not specifying interface )
>
>  iptables  -t mangle -A PREROTUING -p icmp -j MARK --set-mark 2   and
> i have filter rule to put  packets tat are fw marked as 2 to put into
> some flow . This works fine , when i send an icmp packet from lan to
> wan side !!!!!!! ??????????
>
> But if  try any of below rules  intsead of above ,  it wont work
>
> iptables  -t mangle -A PREROTUING -p icmp -i br0 -j MARK --set-mark 2
> iptables  -t mangle -A PREROTUING -p icmp  -s 192.168.1.0/24  -d !
> 192.168.1.0/24 -j MARK --set-mark 2
> iptables  -t mangle -A FORWARD  -p icmp  -i br0 -o eth1 -j MARK --set-mark 2
>
> i dont know y ????????
>
> in linux kernel  , in  net/sched/cls_fw.c  file  , fw_classify is
> called every time  tc filter  is hit .
> skb->mark is  zero when u use rules like
>
> iptables  -t mangle -A PREROTUING -p icmp -i br0 -j MARK --set-mark 2
> iptables  -t mangle -A PREROTUING -p icmp  -s 192.168.1.0/24  -d !
>               192.168.1.0/24 -j MARK --set-mark 2
> iptables  -t mangle -A FORWARD  -p icmp  -i br0 -o eth1 -j MARK --set-mark 2
>
> But if u use
> iptables  -t mangle -A PREROTUING -p icmp -j MARK --set-mark 2
>
> the skb->mark is 2  , correct value .
>
> This problem happens only with bridge . when i tried with one of the
> interface it works perfectly .
>
> Thanks,
> Ratheesh
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux