* tc filter connmark
@ 2014-08-13 15:00 George Amanakis
2014-08-13 15:14 ` Andrew Beverley
0 siblings, 1 reply; 3+ messages in thread
From: George Amanakis @ 2014-08-13 15:00 UTC (permalink / raw)
To: netfilter
Dear All,
I would be glad if you could help me out. I am running the following
script:
-------------- cut - here -----------------
iptables -t mangle -N QOS
iptables -t mangle -A FORWARD -o eth0 -j QOS
iptables -t mangle -A OUTPUT -o eth0 -j QOS
iptables -t mangle -A QOS -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m mark --mark 3 -j ACCEPT ### (counter)
tc qdisc add dev eth0 root handle 1: htb
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --save-mark
tc qdisc add dev eth0 ingress handle ffff:
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \
match u32 0 0 classid :1 \
action xt -j CONNMARK --restore-mark
-------------- cut - here -----------------
Now if I insert (-I) in "PREROUTING" a "CONNMARK --restore-mark", my
counter shows that egress filter "tc filter ... parent 1: ... CONNMARK
--save-mark"marked them correctly.
However, if I remove the "CONNMARK --restore-mark" from "PREROUTING" my
counter shows no traffic. This means that the ingress filter "tc filter
... parent ffff: ... CONNMARK --restore-mark" is not working.
I tried this on latest Archlinux, Fedora 20 and Debian 7.6 and
everywhere I get the same behaviour.What am I doing wrong?
Regards, George
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: tc filter connmark
2014-08-13 15:00 tc filter connmark George Amanakis
@ 2014-08-13 15:14 ` Andrew Beverley
2014-08-14 6:54 ` George Amanakis
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Beverley @ 2014-08-13 15:14 UTC (permalink / raw)
To: George Amanakis; +Cc: netfilter
On Wed, 2014-08-13 at 17:00 +0200, George Amanakis wrote:
> Dear All,
>
> I would be glad if you could help me out. I am running the following
> script:
>
> -------------- cut - here -----------------
>
> iptables -t mangle -N QOS
> iptables -t mangle -A FORWARD -o eth0 -j QOS
> iptables -t mangle -A OUTPUT -o eth0 -j QOS
> iptables -t mangle -A QOS -j MARK --set-mark 3
>
> iptables -t mangle -A PREROUTING -m mark --mark 3 -j ACCEPT ### (counter)
>
> tc qdisc add dev eth0 root handle 1: htb
> tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \
> match u32 0 0 classid :1 \
> action xt -j CONNMARK --save-mark
>
> tc qdisc add dev eth0 ingress handle ffff:
> tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \
> match u32 0 0 classid :1 \
> action xt -j CONNMARK --restore-mark
>
> -------------- cut - here -----------------
>
> Now if I insert (-I) in "PREROUTING" a "CONNMARK --restore-mark", my
> counter shows that egress filter "tc filter ... parent 1: ... CONNMARK
> --save-mark"marked them correctly.
>
> However, if I remove the "CONNMARK --restore-mark" from "PREROUTING" my
> counter shows no traffic. This means that the ingress filter "tc filter
> ... parent ffff: ... CONNMARK --restore-mark" is not working.
If I've understood correctly, you're trying to restore a netfilter MARK
during ingress? If so, I'm not sure this will be possible, as any
ingress processing is done before the traffic hits the netfilter stack,
so it will have no knowledge of connection tracking:
http://inai.de/images/nf-packet-flow.svg
Happy to be corrected if I'm wrong!
Andy
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: tc filter connmark
2014-08-13 15:14 ` Andrew Beverley
@ 2014-08-14 6:54 ` George Amanakis
0 siblings, 0 replies; 3+ messages in thread
From: George Amanakis @ 2014-08-14 6:54 UTC (permalink / raw)
To: Andrew Beverley; +Cc: netfilter
Yes but in this case how could someone handle SNAT on INGRESS by using IFB?
On 13.08.2014 17:14, Andrew Beverley wrote:
> On Wed, 2014-08-13 at 17:00 +0200, George Amanakis wrote:
>> Dear All,
>>
>> I would be glad if you could help me out. I am running the following
>> script:
>>
>> -------------- cut - here -----------------
>>
>> iptables -t mangle -N QOS
>> iptables -t mangle -A FORWARD -o eth0 -j QOS
>> iptables -t mangle -A OUTPUT -o eth0 -j QOS
>> iptables -t mangle -A QOS -j MARK --set-mark 3
>>
>> iptables -t mangle -A PREROUTING -m mark --mark 3 -j ACCEPT ### (counter)
>>
>> tc qdisc add dev eth0 root handle 1: htb
>> tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \
>> match u32 0 0 classid :1 \
>> action xt -j CONNMARK --save-mark
>>
>> tc qdisc add dev eth0 ingress handle ffff:
>> tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 \
>> match u32 0 0 classid :1 \
>> action xt -j CONNMARK --restore-mark
>>
>> -------------- cut - here -----------------
>>
>> Now if I insert (-I) in "PREROUTING" a "CONNMARK --restore-mark", my
>> counter shows that egress filter "tc filter ... parent 1: ... CONNMARK
>> --save-mark"marked them correctly.
>>
>> However, if I remove the "CONNMARK --restore-mark" from "PREROUTING" my
>> counter shows no traffic. This means that the ingress filter "tc filter
>> ... parent ffff: ... CONNMARK --restore-mark" is not working.
> If I've understood correctly, you're trying to restore a netfilter MARK
> during ingress? If so, I'm not sure this will be possible, as any
> ingress processing is done before the traffic hits the netfilter stack,
> so it will have no knowledge of connection tracking:
>
> http://inai.de/images/nf-packet-flow.svg
>
> Happy to be corrected if I'm wrong!
>
> Andy
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-08-14 6:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-13 15:00 tc filter connmark George Amanakis
2014-08-13 15:14 ` Andrew Beverley
2014-08-14 6:54 ` George Amanakis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.