Ralph de Boom wrote: > Patrick McHardy schreef: >> Ralph de Boom wrote: >> >>> Hi there, >>> >>> Excuse me if this email might go wrong, it's my first message to a >>> mailing list. >>> >>> But here's my problem: (And I hope you guys could shed light for me...) >>> >>> I originally ran Debian Lenny on kernel 2.6.18. >>> Since today I reinstalled it to Ubuntu Server 9.10 with kernel 2.6.31. >>> >>> Now I used to do this in lenny: >>> >>> iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -d 81.4.97.0/24 -j >>> MARK --set-mark 0x1 >>> >>> This would cause relevant packets to be marked 0x1, which in return I >>> had a 'ip rule': >>> >>> my rules look like this: >>> >>> ip rule show >>> 0: from all lookup local >>> 32760: from all fwmark 0x2 lookup upc >>> 32761: from all fwmark 0x1 lookup xs4all >>> 32762: from 192.168.1.XX lookup xs4all >>> 32763: from 192.168.1.XX lookup upc >>> 32764: from 24.132.104.XXX lookup upc >>> 32765: from 192.168.2.XX lookup xs4all >>> 32766: from all lookup main >>> 32767: from all lookup default >>> >>> And my 'xs4all' table looks like: >>> >>> ip route show table xs4all >>> 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.XX >>> default via 192.168.2.X dev eth0 >>> >>> >>> I know the rule matches packets i make: >>> >>> iptables -t mangle -v -L >>> Chain PREROUTING (policy ACCEPT 3111K packets, 1861M bytes) >>> pkts bytes target prot opt in out source >>> destination >>> 16 1100 MARK all -- any any 192.168.1.0/24 >>> ip-space.by.proserve.nl/24 MARK xset 0x1/0xffffffff >>> >>> But somehow the connection is never relayed over the xs4all table... >>> >>> The changes I've noticed compared to lenny: >>> >>> iptables now likes to mark my --set-mark 0x1 as a --set-xmark >>> 0x1/0xffffffff >>> whereas in lenny it would stay a --set-mark 0x1 >>> >>> Would be very pleased if someone could help me in this matter. >>> >> >> Please try adding a LOG rule directly after the marking rule and >> see what it prints out for the MARK= value. >> >> > At first, thanks for helping me out! > > Here's the info: > > iptables -t mangle -v -L > Chain PREROUTING (policy ACCEPT 42M packets, 25G bytes) > pkts bytes target prot opt in out source > destination > 362 84150 MARK all -- any any 192.168.1.0/24 > ip-space.by.proserve.nl/24 MARK xset 0x1/0xffffffff > 362 84150 LOG all -- any any 192.168.1.0/24 > ip-space.by.proserve.nl/24 LOG level debug prefix `fwmark 0x1: ' > > kern.log: > Nov 4 14:12:58 sakura kernel: [52836.368503] fwmark 0x1: IN=eth1 OUT= > MAC=00:1b:21:2d:a9:fa:00:1b:21:32:99:5f:08:00 SRC=192.168.1.30 This looks fine, it also works properly for me. Perhaps the packets are already delivered locally through the "local" table. The TRACE target should be able to tell you more. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
