Hi, I was recently doing some tests in a node which forwards and proxies network traffic using a bridge interface. This node runs Linux and it's using iptables -j REJECT to reject some TCP SYN packets, and it also relies heavily on packet marking (-j MARK) to route the packets to the right interface. I was analysing the node because I was not seeing the RST packets generated by ipt_REJECT going out of it. After debugging a bit with -j LOG and adding some prints to the kernel, I found the following: The RST packet generated in the ipt_REJECT module [nf_send_reset()] is generated with mark=0x0. Just after the skb of this new RST packet is generated, it tries to find a route for it even before going to any iptables table, which makes it impossible to mark it using -j MARK anywhere. As I am marking all other traffic, I have no routing set up for this unmarked RST packets, which make the routing in the generation code path fail and then the generated skb is dropped without reaching any iptables chain. It's fine for now as I can add an ip rule to match against packets marked with 0x0 (such that the RST isn't dropped) and sent them to a specific interface as until now I'm only expecting to reject SYNs coming from that interface. However, I'd like to support rejecting SYNs from other interfaces in the future, and in that case matching against mark 0x0 is not enough. So, I think the issue in here is that so far it is impossible to mark the RST packets generated by ipt_REJECT with a mark other than 0x0. I had a look at latest kernel and despite the code having changed a bit around that place I still lack to find a place in which the mark is set. My proposal from user point of view to improve this scenario (better ones welcome) would be: - Add a --mark 0xAAA/0xBBB parameter to ipt_REJECT to be able to set which is the mark to be set for the generated RST skb. - Not useful for me in my scenario, but I can envision it could be useful to have too a parameter to just apply to the RST packet the same mark from the packet generating the REJECT, something like --mark-copy. I can try to find some time during Christmas or January/February to work on a fix like the one described above. Any thoughts on this? Pau Espin Pedrol -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
