* IPTables connection mark rule stops working
@ 2015-12-08 22:57 Justin Michael Schwartzbeck
2015-12-09 8:13 ` Pascal Hambourg
0 siblings, 1 reply; 3+ messages in thread
From: Justin Michael Schwartzbeck @ 2015-12-08 22:57 UTC (permalink / raw)
To: netfilter
Hi all,
I was not sure whether to post this in netfilter or netfilter-devel.
Here is my situation:
I have a kernel module that examines traffic that is forwarded to a
linux VM and, depending on certain information in the packet, will
mark that connection accordingly. I use the following line: "skb->mark
= 0x01" where skb is the socket buffer that is passed to a prerouting
hook in the kernel module.
Next, I have an iptables rule that DNATs the traffic based on the
connection mark. For example, mark 1 goes to port 8080, mark 2 goes to
8443, etc. The iptables rule looks like so:
iptables -A PREROUTING -p tcp -m mark --mark 0x1 -j DNAT
--to-destination (proxy ip):8080
Now, 99 percent of the time this works just fine, the connection is
marked, and it gets redirected by the iptables rule, and everyone is
happy. But once in a blue moon, it will randomly just stop working.
Here is what I have gathered so far: I have traffic being forwarded to
my VM as usual. Now I know the traffic is being marked in the kernel
module because I have a log message that goes to syslog from the
kernel module indicating this. But the traffic does not get DNATed.
When I look at "iptables -t nat -vL" I can see that the count for that
rule is not going up. Eventually I just power cycle the VM and
everything goes back to normal. I am wondering how I can troubleshoot
this. What might cause this problem to occur? My first instinct is
maybe some table is being filled up (perhaps connection tracking?) but
when I check syslog I don't see any useful information. I just need
some idea of where to look. What other things can I check?
Thanks,
-Justin
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IPTables connection mark rule stops working
2015-12-08 22:57 IPTables connection mark rule stops working Justin Michael Schwartzbeck
@ 2015-12-09 8:13 ` Pascal Hambourg
0 siblings, 0 replies; 3+ messages in thread
From: Pascal Hambourg @ 2015-12-09 8:13 UTC (permalink / raw)
To: Justin Michael Schwartzbeck; +Cc: netfilter
Justin Michael Schwartzbeck a écrit :
>
> Now I know the traffic is being marked in the kernel
> module because I have a log message that goes to syslog from the
> kernel module indicating this. But the traffic does not get DNATed.
> When I look at "iptables -t nat -vL" I can see that the count for that
> rule is not going up. Eventually I just power cycle the VM and
> everything goes back to normal. I am wondering how I can troubleshoot
> this. What might cause this problem to occur? My first instinct is
> maybe some table is being filled up (perhaps connection tracking?) but
> when I check syslog I don't see any useful information. I just need
> some idea of where to look. What other things can I check?
Check the packet conntrack state in mangle/PREROUTING. A packet won't
enter the nat chains if it has a state other than NEW.
^ permalink raw reply [flat|nested] 3+ messages in thread
* IPTables connection mark rule stops working
@ 2015-12-15 17:44 Justin Michael Schwartzbeck
0 siblings, 0 replies; 3+ messages in thread
From: Justin Michael Schwartzbeck @ 2015-12-15 17:44 UTC (permalink / raw)
To: netfilter-devel
Hi all,
I was not sure whether to post this in netfilter or netfilter-devel.
Here is my situation:
I have a kernel module that examines traffic that is forwarded to a
linux VM and, depending on certain information in the packet, will
mark that connection accordingly. I use the following line: "skb->mark
= 0x01" where skb is the socket buffer that is passed to a prerouting
hook in the kernel module.
Next, I have an iptables rule that DNATs the traffic based on the
connection mark. For example, mark 1 goes to port 8080, mark 2 goes to
8443, etc. The iptables rule looks like so:
iptables -A PREROUTING -p tcp -m mark --mark 0x1 -j DNAT
--to-destination (proxy ip):8080
Now, 99 percent of the time this works just fine, the connection is
marked, and it gets redirected by the iptables rule, and everyone is
happy. But once in a blue moon, it will randomly just stop working.
Here is what I have gathered so far: I have traffic being forwarded to
my VM as usual. Now I know the traffic is being marked in the kernel
module because I have a log message that goes to syslog from the
kernel module indicating this. But the traffic does not get DNATed.
When I look at "iptables -t nat -vL" I can see that the count for that
rule is not going up. Eventually I just power cycle the VM and
everything goes back to normal. I am wondering how I can troubleshoot
this. What might cause this problem to occur? My first instinct is
maybe some table is being filled up (perhaps connection tracking?) but
when I check syslog I don't see any useful information. I just need
some idea of where to look. What other things can I check?
Thanks,
-Justin
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-12-15 17:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-08 22:57 IPTables connection mark rule stops working Justin Michael Schwartzbeck
2015-12-09 8:13 ` Pascal Hambourg
2015-12-15 17:44 Justin Michael Schwartzbeck
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.