* Problems with CONNTRACK --restore-mark
@ 2020-02-17 7:32 Bernd Jerzyna
0 siblings, 0 replies; only message in thread
From: Bernd Jerzyna @ 2020-02-17 7:32 UTC (permalink / raw)
To: netfilter
Hi there,
I'm having trouble marking a connection.
My iptables configuration is
[root@arnott ~]# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
set_connmark tcp -- anywhere anywhere tcp
dpt:telnet state NEW
MARK tcp -- anywhere anywhere tcp
dpt:telnet MARK set 0x2
CONNMARK tcp -- anywhere anywhere tcp
dpt:telnet CONNMARK restore
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain set_connmark (1 references)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp
dpt:telnet MARK set 0x1
CONNMARK tcp -- anywhere anywhere tcp
dpt:telnet CONNMARK save
What I expect is that on the first packet a connection mark is set
(0x1) and that it is restored to the packet mark for every packet in
that connection (after setting the packet mark to 0x2).
What I see, though, is that this only works for the first packet as
the iptables TRACE shows:
raw:PREROUTING:policy:4 16835 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'SYN', 'OPT']
mangle:PREROUTING:rule:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'SYN', 'OPT']
mangle:set_connmark:rule:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'SYN', 'OPT']
mangle:set_connmark:rule:2 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
mangle:set_connmark:return:3 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
mangle:PREROUTING:rule:2 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
mangle:PREROUTING:rule:3 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'SYN', 'OPT']
mangle:PREROUTING:policy:4 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
nat:PREROUTING:policy:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
mangle:FORWARD:policy:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
filter:FORWARD:policy:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
mangle:POSTROUTING:policy:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
nat:POSTROUTING:policy:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
wire:POSTROUTING:policy:1 16835 TCP 10.3.118.45
50759 94.142.241.111 23 0x1 ['DF', 'SYN', 'OPT']
raw:PREROUTING:policy:4 16836 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'ACK']
mangle:PREROUTING:rule:2 16836 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'ACK']
mangle:PREROUTING:rule:3 16836 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:PREROUTING:policy:4 16836 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:FORWARD:policy:1 16836 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
filter:FORWARD:policy:1 16836 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:POSTROUTING:policy:1 16836 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
wire:POSTROUTING:policy:1 16836 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
raw:PREROUTING:policy:4 16837 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'ACK']
mangle:PREROUTING:rule:2 16837 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'ACK']
mangle:PREROUTING:rule:3 16837 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:PREROUTING:policy:4 16837 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:FORWARD:policy:1 16837 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
filter:FORWARD:policy:1 16837 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:POSTROUTING:policy:1 16837 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
wire:POSTROUTING:policy:1 16837 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
raw:PREROUTING:policy:4 16838 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'ACK']
mangle:PREROUTING:rule:2 16838 TCP 10.3.118.45
50759 94.142.241.111 23 --- ['DF', 'ACK']
mangle:PREROUTING:rule:3 16838 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:PREROUTING:policy:4 16838 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:FORWARD:policy:1 16838 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
filter:FORWARD:policy:1 16838 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
mangle:POSTROUTING:policy:1 16838 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
wire:POSTROUTING:policy:1 16838 TCP 10.3.118.45
50759 94.142.241.111 23 0x2 ['DF', 'ACK']
Using conntrack -E -d 94.142.241.111 I can see that the connection
mark is maintained at 0x1.
This is a test case iptables configuration to try to isolate the problem.
[root@arnott ~]# iptables --version
iptables v1.4.21
I'd appreciate any help with this.
Best regards
Bernd
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-02-17 7:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-17 7:32 Problems with CONNTRACK --restore-mark Bernd Jerzyna
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.