Discussion:
tc filter connmark
George Amanakis
2014-08-13 15:00:51 UTC
Permalink
Dear All,

I would be glad if you could help me out. I am running the following
script:

-------------- cut - here -----------------

iptables -t mangle -N QOS
iptables -t mangle -A FORWARD -o eth0 -j QOS
iptables -t mangle -A OUTPUT -o eth0 -j QOS
iptables -t mangle -A QOS -j MARK --set-mark 3

iptables -t mangle -A PREROUTING -m mark --mark 3 -j ACCEPT ### (counter)

tc qdisc add dev eth0 root handle 1: htb
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --save-mark

tc qdisc add dev eth0 ingress handle ffff:
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --restore-mark

-------------- cut - here -----------------

Now if I insert (-I) in "PREROUTING" a "CONNMARK --restore-mark", my
counter shows that egress filter "tc filter ... parent 1: ... CONNMARK
--save-mark"marked them correctly.

However, if I remove the "CONNMARK --restore-mark" from "PREROUTING" my
counter shows no traffic. This means that the ingress filter "tc filter
... parent ffff: ... CONNMARK --restore-mark" is not working.

I tried this on latest Archlinux, Fedora 20 and Debian 7.6 and
everywhere I get the same behaviour.What am I doing wrong?

Regards, George
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Andrew Beverley
2014-08-13 15:14:16 UTC
Permalink
Post by George Amanakis
Dear All,
I would be glad if you could help me out. I am running the following
-------------- cut - here -----------------
iptables -t mangle -N QOS
iptables -t mangle -A FORWARD -o eth0 -j QOS
iptables -t mangle -A OUTPUT -o eth0 -j QOS
iptables -t mangle -A QOS -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m mark --mark 3 -j ACCEPT ### (counter)
tc qdisc add dev eth0 root handle 1: htb
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --save-mark
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --restore-mark
-------------- cut - here -----------------
Now if I insert (-I) in "PREROUTING" a "CONNMARK --restore-mark", my
counter shows that egress filter "tc filter ... parent 1: ... CONNMARK
--save-mark"marked them correctly.
However, if I remove the "CONNMARK --restore-mark" from "PREROUTING" my
counter shows no traffic. This means that the ingress filter "tc filter
... parent ffff: ... CONNMARK --restore-mark" is not working.
If I've understood correctly, you're trying to restore a netfilter MARK
during ingress? If so, I'm not sure this will be possible, as any
ingress processing is done before the traffic hits the netfilter stack,
so it will have no knowledge of connection tracking:

http://inai.de/images/nf-packet-flow.svg

Happy to be corrected if I'm wrong!

Andy


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
George Amanakis
2014-08-14 06:54:46 UTC
Permalink
Yes but in this case how could someone handle SNAT on INGRESS by using IFB?
Post by Andrew Beverley
Post by George Amanakis
Dear All,
I would be glad if you could help me out. I am running the following
-------------- cut - here -----------------
iptables -t mangle -N QOS
iptables -t mangle -A FORWARD -o eth0 -j QOS
iptables -t mangle -A OUTPUT -o eth0 -j QOS
iptables -t mangle -A QOS -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m mark --mark 3 -j ACCEPT ### (counter)
tc qdisc add dev eth0 root handle 1: htb
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --save-mark
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --restore-mark
-------------- cut - here -----------------
Now if I insert (-I) in "PREROUTING" a "CONNMARK --restore-mark", my
counter shows that egress filter "tc filter ... parent 1: ... CONNMARK
--save-mark"marked them correctly.
However, if I remove the "CONNMARK --restore-mark" from "PREROUTING" my
counter shows no traffic. This means that the ingress filter "tc filter
... parent ffff: ... CONNMARK --restore-mark" is not working.
If I've understood correctly, you're trying to restore a netfilter MARK
during ingress? If so, I'm not sure this will be possible, as any
ingress processing is done before the traffic hits the netfilter stack,
http://inai.de/images/nf-packet-flow.svg
Happy to be corrected if I'm wrong!
Andy
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...