Hi, I looked a bit more deeply into this issue and fwmark_reflect, and it seems that this sysctl is not being used in this specific code path as far as I could see (nf_send_reset), at least in a version near to 3.18 I'm using to do the tests, and I think the issue is still not fixed in master. Basically the mark is not being copied when the new skb (RST) is created in nf_send_reset() in nf_reject_ipv4.c. I did a one-line patch to copy the mark based on fwmark_reflect and after enabling it, at least now I get it copied and I can workaround the issues by changing the mark of the SYN packet just before rejecting it in -j REJECT. I will do some more checks and if finally needed I'll send a patch to fix it in master over next days. Pau Espin Pedrol 2016-12-12 18:32 GMT+01:00 Pau Espin Pedrol <pespin.shar@xxxxxxxxx>: > 2016-12-12 18:15 GMT+01:00 Noel Kuntze <noel@xxxxxxxxxxxxxxxxx>: >> On 12.12.2016 18:07, Pau Espin Pedrol wrote: >>> that is, I cannot mark packets generated by >>> a REJECT target with a specific mark. >> You shouldn't rejects any different than the original responses anyway, so it's not a problem, >> because you don't have to treat them different than the original packets that caused them. >> > Unfortunately, I do, as I'm playing with the node being transparent > proxy, and so far with the current setup marking helps choose the > right direction for each packet on the bridge. Different direction, > different marking. > >> >> And you can still route and mark local (including ones that were caused by -j REJECT) packets. Look at the >> graph[1]. >> >> [1] http://inai.de/images/nf-packet-flow.png >> > I'm not sure if packets can be considered local in this case, as > acting as transparent proxy means src ip or dst ip cannot be matched > against IPs or interfaces in the system, which makes everything a bit > harder. > > However, thinking about it, it seems I could workaround the issue by > adding a rule just before REJECT which matches on the same mark/filter > and does -j MARK to the desired mark. That together with > fwmark_reflect would work but still looks a bit hackish. > > Thanks again for the help, > Pau Espin Pedrol -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
