Question on copying iptables CONNMARK to netfilter MARK

Praetorian · 03-06-2008, 05:46 PM

Hello,

I'm having a problem transferring iptables connection tracking (conntrack) marks to Netfilter marks. I'm trying to use the 'conntrack' tool (from conntrack-tools) to update conntrack mark values on ESTABLISHED connections, then use iptables to monitor those mark values via the connmark module and transfer the mark values to the packet as it is handed off to Netfilter. A tc filter exists which is supposed to look for packets with certain fwmark's, and drop them into their corresponding qdisc.

Here are the rules I'm using:

IPTABLES

Code:

-t mangle -A POSTROUTING -j CONNMARK --restore-mark
-t mangle -A POSTROUTING -m connmark --mark 0x5 -j MARK --set-mark 0x5
-t mangle -A POSTROUTING -j CONNMARK --save-mark

TC

Code:

qdisc add dev eth0 root handle 1: prio
qdisc add dev eth0 parent 1:2 handle 12: htb
filter add dev eth0 parent 12: protocol ip prio 1 handle 5 fw flowid 12:5

class add dev eth0 parent 12: classid 12:5 htb rate 56kbit
qdisc add dev eth0 parent 12:5 handle 5: sfq perturb 10

iptables -t mangle -L -v shows packets matching the rules, but the tc qdisc counters for 12:5 are not incrementing, which would show packets are entering the qdisc.

I've tried to do some debugging by MARKing all packets for a single host in iptables, but even that gives me some problems.

This doesn't work:

Code:

-t mangle -A POSTROUTING -s 192.168.101.61 -j MARK --set-mark 5

But this does:

Code:

$IPSET=/usr/sbin/ipset

$IPSET --create testhost nethash
$IPSET --add testhost 192.168.101.61/32

-t mangle -A POSTROUTING -m set --set testhost src -j MARK --set-mark 5

Obviously there's something that I don't understand about iptables and/or netfilter. Any help would be greatly appreciated.

rayfordj · 03-06-2008, 06:13 PM

you are doing it on the POSTROUTING mangle chain. Wouldn't you want to do this before your routing decisions occur (by using PREROUTING mangle chain)?

Chapter 6. Traversing of tables and chains

Praetorian · 03-06-2008, 06:27 PM

I forgot to mention I'm using this on a bridge, not a router.

This machine runs L7-Filter. The documentation for that software recommends modifying the MARK value in the POSTROUTING chain. I'm not sure if I need to follow this in my particular situation, but I did.

I've tried using the same rules in the PREROUTING and FORWARD chains, but it didn't seem to make a difference. Again, the packets seem to be matching in iptables but fail to match in tc.

I'll read through the link you provided, and post back with any new developments.

Praetorian · 03-10-2008, 05:26 PM

I haven't been able to get these MARK values to transfer. I have resorted to using the CLASSIFY target to queue traffic based on its CONNMARK. I hadn't thought of this before because the iptables(8) mentions this works with CBQ queues, although it apparently also works with HTB, which is what I'm using.

For the curious, here's the rule I have resorted to.

Code:

-t mangle -A POSTROUTING -m conntrack --ctstate ESTABLISHED,RELATED --ctstatus ASSURED -m connmark --mark 5 -j CLASSIFY --set-class 12:5

jomen · 06-19-2008, 07:24 AM

it is done with:

Code:

...-j CONNMARK --save-mark

and you (re)use it with:

Code:

...-j CONNMARK --restore-mark