Discussion:
Policy Routing with fwmark and iptables -j MARK
f***@berkeley.edu
2007-11-25 09:26:19 UTC
Permalink
Hello. I am trying to do some simple policy routing in Fedora Core. I have
read this link as initial guidance and the LARTC howto:
http://linux-ip.net/html/adv-multi-internet.html

I have three outgoing lines, IF1,IF2,IF3.
What I want: all outgoing connections that don't have a certain
destination port to be routed out on IF3, while everything else I want to
be load balanced between IF1,IF2 - and I want to do this load balancing on
each individual new connection using the "statistic" match (so not with a
multipath ip route). Here's the rules (similar ones for UDP):

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport \
--dport $PORT_LIST -m statistic --mode random --probability .5 \
-j MARK --set-mark 0x60000000

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport \
--dport $PORT_LIST -j MARK --set-mark 0x50000000

After that, I have 3 routing tables - 5,6, main who default to routing out
on IF1,IF2,IF3 respectively. Finally, I wish to do NAT, so I have:

$IPTABLES -t nat -A POSTROUTING -o $IF3_IF -j SNAT --to-source $IF3_IP
$IPTABLES -t nat -A POSTROUTING -o $IF1_IF -j SNAT --to-source $IF1_IP
$IPTABLES -t nat -A POSTROUTING -o $IF2_IF -j SNAT --to-source $IF2_IP

However, I also wish to use L7-filter which itself edits the mask, and I
load it like this so that it sees both sides of a connection:

$IPTABLES -A FORWARD -j NFQUEUE

l7-filter runs with the -m 0x00ff0000 bitmask switch, so its own edits of
the mask don't klobber the -j MARK that was set. However, fwmark in ip
route DOES NOT seem to have a similar bitmask option. So, by the time the
packet gets to fwmark its mark might be different than what was originally
set in the PREROUTING chain?

So, how can I tell fwmark to look at just the first pair in the mask? I.e.
at 0xff000000 as opposed to the whole mask. If I can't do this, then don't
I have to add multiple fwmark rules to anticipate each edit l7-filter
might make during the FORWARD chain? So in effect this would multiply the
number of

"ip rule add fwmark x table x"

type rules by however many possible changes l7-filter could make. This
kind of stuff is really making me wish the ROUTE target still worked...

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jörg Lübbert
2007-11-25 13:28:09 UTC
Permalink
Hello,

You might probably run into trouble with your MARK approach there as it=
=20
won't be able to correctly track connections which are related to other=
=20
connections. Ie. FTP-Data.

You'll need to rely on connmark for such situation.

$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport \
--dport $PORT_LIST -m statistic --mode random --probability .5 \
-m connmark ! --mark 0/0 \
-j MARK --set-mark 0x60000000

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport \
-m connmark ! --mark 0/0 \
--dport $PORT_LIST -j MARK --set-mark 0x50000000

$IPTABLES -A PREROUTING -t mangle -j CONNMARK --save-mark

As for your L7 case, I'd need some more input there. Can you give a mor=
e=20
detailled description please? You don't want to use it as part of the=20
routing decission, do you? (that wouldn't work)


- J=F6rg
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jörg Lübbert
2007-11-25 23:50:02 UTC
Permalink
Hello,
$IPTABLES -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
to catch the generic packets just in case?
I don't know your full ruleset, but I don't see a point in making a rule
here to accept packets that have any mark set but the mark 0?

I suggest you to read up about marks some more.

- A connmark is a mark that is present on a whole connection
- A mark is only present on a single packet
- tc filter can only handle normal marks. It doesn't know about connmark
- ip rule can also only handle normal marks
No, I don't want to make a routing decision with L7, rather I want to use
the marks it sets with tc. I'm using the userland version of L7-filter, so
since L7 defaults to queue number 0, I have the
$IPTABLES -A FORWARD -j NFQUEUE rule so that it gets everything there.
Right
But L7 edits the mark itself - of
all the packets in a connection if I understand correctly - 0 for not
looked at, 1 for looked at, 2 for gave up, and other marks signify
identification.
I'm not aware of the fact that l7 filter uses fwmark for internal packet
processing.

Anyways. As far as I can see, you want to use l7 filter in combination
with tc and you want to use packet marks for routing.

I already explained about the routing part. So here comes the other:

Since tc filter rules are evaluated after the postrouting chain, you can
use -m layer7 matches in the mangle table of the postrouting chain and
set -j MARK the way you like. tc filter will pick them up and it will
not interfere with the routing decissions. ie.

$IPTABLES -A POSTROUTING -t mangle -m layer7 --l7proto httpaudio -j MARK
--set-mark 20

-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...