[Bug 747] New: IPtables marked packets not being inpsected in NAT table.

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Sep 6 17:19:35 CEST 2011 

http://bugzilla.netfilter.org/show_bug.cgi?id=747

           Summary: IPtables marked packets not being inpsected in NAT
                    table.
           Product: iptables
           Version: CVS (please indicate timestamp)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P3
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: relay at ericavijay.net
   Estimated Hours: 0.0


Here is the description of the issue, that I was able to reproduce.

A bandwidth based router was setup to push data based on bandwidth to various
daemons on the same machine.  The modules used are "limit", "mark" and
"redirect"

The logic at the mangle tables is to mark packets at 100 pkt per second with
mark "02" 
the next 100 pkts per second with mark "03"

the logic at the NAT table to REDIRECT these packets to port 515, 516 and so on
respectively.

Here is what my iptables looks like

# Generated by iptables-save v1.4.4 on Tue Sep  6 11:15:41 2011
*raw
:PREROUTING ACCEPT [376977:223804194]
:OUTPUT ACCEPT [2336:364875]
COMMIT
# Completed on Tue Sep  6 11:15:41 2011
# Generated by iptables-save v1.4.4 on Tue Sep  6 11:15:41 2011
*filter
:INPUT ACCEPT [243453:140022777]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6891:2265445]
-A INPUT -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -p udp -m udp --dport 515 -j ACCEPT
-A INPUT -p udp -m udp --dport 516 -j ACCEPT
-A INPUT -p udp -m udp --dport 517 -j ACCEPT
-A INPUT -p udp -m udp --dport 518 -j ACCEPT
COMMIT
# Completed on Tue Sep  6 11:15:41 2011
# Generated by iptables-save v1.4.4 on Tue Sep  6 11:15:41 2011
*nat
:PREROUTING ACCEPT [2501:337926]
:POSTROUTING ACCEPT [687:46247]
:OUTPUT ACCEPT [687:46247]
-A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x2 -j REDIRECT
--to-ports 515
-A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x3 -j REDIRECT
--to-ports 516
-A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x4 -j REDIRECT
--to-ports 517
COMMIT
# Completed on Tue Sep  6 11:15:41 2011
# Generated by iptables-save v1.4.4 on Tue Sep  6 11:15:41 2011
*mangle
:PREROUTING ACCEPT [702123:418010059]
:INPUT ACCEPT [702012:417948640]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5748:2083267]
:POSTROUTING ACCEPT [5759:2084048]
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 200/sec -j MARK
--set-xmark 0x2/0xffffffff
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 200/sec -j RETURN
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 303/sec -j MARK
--set-xmark 0x3/0xffffffff
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 303/sec -j RETURN
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 400/sec -j MARK
--set-xmark 0x4/0xffffffff
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 400/sec -j RETURN
-A PREROUTING -p udp -m udp --dport 514 -j LOG --log-prefix "Feed_Me_More: "
COMMIT
# Completed on Tue Sep  6 11:15:41 2011

When I push events that exceed the first 100 pkts/sec ount, the marking happens
properly but the "NAT" table does not read the marked packets properly.  Here
is a packet counts to show this behavior.


root at europeanroller:~# iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 2052 packets, 1205K bytes)
 pkts bytes target     prot opt in     out     source               destination 
  437  264K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 limit: avg 200/sec burst 5 MARK xset 0x2/0xffffffff
  437  264K RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 limit: avg 200/sec burst 5
  657  397K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 limit: avg 303/sec burst 5 MARK xset 0x3/0xffffffff
  657  397K RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 limit: avg 303/sec burst 5
  853  516K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 limit: avg 400/sec burst 5 MARK xset 0x4/0xffffffff
  853  516K RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 limit: avg 400/sec burst 5
   39 23583 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 LOG flags 0 level 4 prefix `Feed_Me_More: '
root at europeanroller:~# iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    1    28 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 mark match 0x2 redir ports 515
    0     0 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 mark match 0x3 redir ports 516
    0     0 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0  
        udp dpt:514 mark match 0x4 redir ports 517

Please let me know if this bug can be tested and fixed.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

More information about the netfilter-buglog mailing list