[Bug 589] New: MARK doesn't work properly with incoming traffic
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Wed Apr 1 15:58:45 CEST 2009
http://bugzilla.netfilter.org/show_bug.cgi?id=589
Summary: MARK doesn't work properly with incoming traffic
Product: iptables
Version: unspecified
Platform: i386
OS/Version: Ubuntu
Status: NEW
Severity: major
Priority: P1
Component: iptables
AssignedTo: laforge at netfilter.org
ReportedBy: javier.galvez.guerrero at gmail.com
I want to choose which network interface (between 2 WiFi NICs) to be the
'active' one, so I'm trying to manage it with ip rules, ip routes and iptables.
What I do is to mark outgoing packets so I can manage which routing table will
be selected. What I've noted is that I also need to manage the response of this
traffic (such as ACK packets), so I need to mark the incoming traffic according
to the outgoing rules (i.e. redirecting the traffic to the same route tables).
The results show that if I use the TOS target I can properly send and receive
traffic through the network I want, while using the MARK target (the one I'm
really interested) only the outgoing traffic is correctly managed, so the
incoming packets are never received by the local process.
These are the scripts I use to change the ip route tables, ip rules and
iptables rules:
-----------------------------------------------------------------
------------------TOS--------------------------------------------
-----------------------------------------------------------------
#!/bin/sh
task=0
intf=0
show_rules=0
args=$#
# Check for arguments
if test $args -eq 0
then
task=usage
elif test $args -eq 1
then
if test $1 = clear
then
task=clear
else
task=usage
fi
elif test $args -eq 2
then
if test $1 = start
then
if test $args -eq 2
then
if test $2 = ra0
then
task=start
intf=ra0
elif test $2 = ra1
then
task=start
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = switch
then
if test $args -eq 2
then
if test $2 = ra0
then
task=switch
intf=ra0
elif test $2 = ra1
then
task=switch
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = stop
then
if test $args -eq 2
then
if test $2 = ra0
then
task=stop
intf=ra0
elif test $2 = ra1
then
task=stop
intf=ra1
else
task=usage
fi
else
task=usage
fi
else
task=usage
fi
fi
if test $task = clear
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F PREROUTING -t mangle
sudo iptables -F POSTROUTING -t nat
elif test $task = start
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F POSTROUTING -t nat
sudo ip rule add from all tos 0x10 table 1 prio 1
sudo ip rule add from all tos 0x04 table 2 prio 1
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo ifconfig ra1 up
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.0.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x10
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x10
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra0 up
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.1.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x04
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x04
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = switch
then
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.0.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x10
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x10
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.1.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x04
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x04
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = stop
then
if test $intf = ra0
then
sudo ifconfig ra0 0.0.0.0
elif test $intf = ra1
then
sudo ifconfig ra1 0.0.0.0
fi
elif test $task = usage
then
echo Wrong parameters
echo Usage: $0 [clear/start/switch/stop] [ra0/ra1]
fi
exit
# Show routing setup
if test $show_rules -eq 1
then
sudo ip rule show
sudo ip route show table 1
sudo ip route show table 2
sudo iptables --list -t mangle
sudo iptables --list -t nat
fi
----------------------------------------------------------------
-----------------------MARK-------------------------------------
----------------------------------------------------------------
#!/bin/sh
task=0
intf=0
show_rules=0
args=$#
# Check for arguments
if test $args -eq 0
then
task=usage
elif test $args -eq 1
then
if test $1 = clear
then
task=clear
else
task=usage
fi
elif test $args -eq 2
then
if test $1 = start
then
if test $args -eq 2
then
if test $2 = ra0
then
task=start
intf=ra0
elif test $2 = ra1
then
task=start
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = switch
then
if test $args -eq 2
then
if test $2 = ra0
then
task=switch
intf=ra0
elif test $2 = ra1
then
task=switch
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = stop
then
if test $args -eq 2
then
if test $2 = ra0
then
task=stop
intf=ra0
elif test $2 = ra1
then
task=stop
intf=ra1
else
task=usage
fi
else
task=usage
fi
else
task=usage
fi
fi
if test $task = clear
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F PREROUTING -t mangle
sudo iptables -F POSTROUTING -t nat
elif test $task = start
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F POSTROUTING -t nat
sudo ip rule add from all fwmark 1 table 1 prio 1
sudo ip rule add from all fwmark 2 table 2 prio 1
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo ifconfig ra1 up
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.0.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j MARK
--set-mark 1
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j MARK
--set-mark 1
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra0 up
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.1.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j MARK
--set-mark 2
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j MARK
--set-mark 2
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = switch
then
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.0.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j MARK
--set-mark 1
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j
MARK --set-mark 1
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.1.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j MARK
--set-mark 2
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j
MARK --set-mark 2
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = stop
then
if test $intf = ra0
then
sudo ifconfig ra0 0.0.0.0
elif test $intf = ra1
then
sudo ifconfig ra1 0.0.0.0
fi
elif test $task = usage
then
echo Wrong parameters
echo Usage: $0 [clear/start/switch/stop] [ra0/ra1]
fi
exit
# Show routing setup
if test $show_rules -eq 1
then
sudo ip rule show
sudo ip route show table 1
sudo ip route show table 2
sudo iptables --list -t mangle
sudo iptables --list -t nat
fi
As said before, the configuration is all the same except for the use of the
MARK or the TOS targets, and the first seems to fail only with the incoming
traffic (the packets received from the port 8554 are never received in the
local process), while the second works properly.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list