bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-01 13:58 UTC
[Bug 589] New: MARK doesn't work properly with incoming traffic
http://bugzilla.netfilter.org/show_bug.cgi?id=589
Summary: MARK doesn't work properly with incoming traffic
Product: iptables
Version: unspecified
Platform: i386
OS/Version: Ubuntu
Status: NEW
Severity: major
Priority: P1
Component: iptables
AssignedTo: laforge at netfilter.org
ReportedBy: javier.galvez.guerrero at gmail.com
I want to choose which network interface (between 2 WiFi NICs) to be the
'active' one, so I'm trying to manage it with ip rules, ip routes
and iptables.
What I do is to mark outgoing packets so I can manage which routing table will
be selected. What I've noted is that I also need to manage the response of
this
traffic (such as ACK packets), so I need to mark the incoming traffic according
to the outgoing rules (i.e. redirecting the traffic to the same route tables).
The results show that if I use the TOS target I can properly send and receive
traffic through the network I want, while using the MARK target (the one I'm
really interested) only the outgoing traffic is correctly managed, so the
incoming packets are never received by the local process.
These are the scripts I use to change the ip route tables, ip rules and
iptables rules:
-----------------------------------------------------------------
------------------TOS--------------------------------------------
-----------------------------------------------------------------
#!/bin/sh
task=0
intf=0
show_rules=0
args=$#
# Check for arguments
if test $args -eq 0
then
task=usage
elif test $args -eq 1
then
if test $1 = clear
then
task=clear
else
task=usage
fi
elif test $args -eq 2
then
if test $1 = start
then
if test $args -eq 2
then
if test $2 = ra0
then
task=start
intf=ra0
elif test $2 = ra1
then
task=start
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = switch
then
if test $args -eq 2
then
if test $2 = ra0
then
task=switch
intf=ra0
elif test $2 = ra1
then
task=switch
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = stop
then
if test $args -eq 2
then
if test $2 = ra0
then
task=stop
intf=ra0
elif test $2 = ra1
then
task=stop
intf=ra1
else
task=usage
fi
else
task=usage
fi
else
task=usage
fi
fi
if test $task = clear
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F PREROUTING -t mangle
sudo iptables -F POSTROUTING -t nat
elif test $task = start
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F POSTROUTING -t nat
sudo ip rule add from all tos 0x10 table 1 prio 1
sudo ip rule add from all tos 0x04 table 2 prio 1
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo ifconfig ra1 up
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.0.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x10
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x10
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra0 up
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.1.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x04
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x04
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = switch
then
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.0.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x10
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x10
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.1.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j TOS
--set-tos 0x04
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j TOS
--set-tos 0x04
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = stop
then
if test $intf = ra0
then
sudo ifconfig ra0 0.0.0.0
elif test $intf = ra1
then
sudo ifconfig ra1 0.0.0.0
fi
elif test $task = usage
then
echo Wrong parameters
echo Usage: $0 [clear/start/switch/stop] [ra0/ra1]
fi
exit
# Show routing setup
if test $show_rules -eq 1
then
sudo ip rule show
sudo ip route show table 1
sudo ip route show table 2
sudo iptables --list -t mangle
sudo iptables --list -t nat
fi
----------------------------------------------------------------
-----------------------MARK-------------------------------------
----------------------------------------------------------------
#!/bin/sh
task=0
intf=0
show_rules=0
args=$#
# Check for arguments
if test $args -eq 0
then
task=usage
elif test $args -eq 1
then
if test $1 = clear
then
task=clear
else
task=usage
fi
elif test $args -eq 2
then
if test $1 = start
then
if test $args -eq 2
then
if test $2 = ra0
then
task=start
intf=ra0
elif test $2 = ra1
then
task=start
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = switch
then
if test $args -eq 2
then
if test $2 = ra0
then
task=switch
intf=ra0
elif test $2 = ra1
then
task=switch
intf=ra1
else
task=usage
fi
else
task=usage
fi
elif test $1 = stop
then
if test $args -eq 2
then
if test $2 = ra0
then
task=stop
intf=ra0
elif test $2 = ra1
then
task=stop
intf=ra1
else
task=usage
fi
else
task=usage
fi
else
task=usage
fi
fi
if test $task = clear
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F PREROUTING -t mangle
sudo iptables -F POSTROUTING -t nat
elif test $task = start
then
sudo ip route flush table 1
sudo ip route flush table 2
sudo ip rule del prio 1
sudo ip rule del prio 1
sudo iptables -F OUTPUT -t mangle
sudo iptables -F POSTROUTING -t nat
sudo ip rule add from all fwmark 1 table 1 prio 1
sudo ip rule add from all fwmark 2 table 2 prio 1
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo ifconfig ra1 up
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.0.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j MARK
--set-mark 1
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j MARK
--set-mark 1
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra0 up
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8554 -j SNAT
--to-source 192.168.1.2
sudo iptables -A OUTPUT -t mangle -p tcp --dport 8554 -j MARK
--set-mark 2
sudo iptables -A PREROUTING -t mangle -s 147.83.47.178 -j MARK
--set-mark 2
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = switch
then
if test $intf = ra0
then
sudo ifconfig ra0 up 192.168.0.2/24 netmask 255.255.255.0
sudo iwconfig ra0 essid mobiptv1
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.0.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j MARK
--set-mark 1
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j
MARK --set-mark 1
sudo ip route add default via 192.168.0.1 dev ra0
sudo ip route add table 1 192.168.0.0/24 dev ra0
sudo ip route add table 1 default via 192.168.0.1 dev ra0
elif test $intf = ra1
then
sudo ifconfig ra1 up 192.168.1.2/24 netmask 255.255.255.0
sudo iwconfig ra1 essid mobiptv2
sudo iptables -t nat -R POSTROUTING 1 -p tcp --dport 8554 -j
SNAT --to-source 192.168.1.2
sudo iptables -R OUTPUT 1 -t mangle -p tcp --dport 8554 -j MARK
--set-mark 2
sudo iptables -R PREROUTING 1 -t mangle -s 147.83.47.178 -j
MARK --set-mark 2
sudo ip route add default via 192.168.1.1 dev ra1
sudo ip route add table 2 192.168.1.0/24 dev ra1
sudo ip route add table 2 default via 192.168.1.1 dev ra1
fi
elif test $task = stop
then
if test $intf = ra0
then
sudo ifconfig ra0 0.0.0.0
elif test $intf = ra1
then
sudo ifconfig ra1 0.0.0.0
fi
elif test $task = usage
then
echo Wrong parameters
echo Usage: $0 [clear/start/switch/stop] [ra0/ra1]
fi
exit
# Show routing setup
if test $show_rules -eq 1
then
sudo ip rule show
sudo ip route show table 1
sudo ip route show table 2
sudo iptables --list -t mangle
sudo iptables --list -t nat
fi
As said before, the configuration is all the same except for the use of the
MARK or the TOS targets, and the first seems to fail only with the incoming
traffic (the packets received from the port 8554 are never received in the
local process), while the second works properly.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-01 14:00 UTC
[Bug 589] MARK doesn't work properly with incoming traffic
http://bugzilla.netfilter.org/show_bug.cgi?id=589 ------- Comment #1 from javier.galvez.guerrero at gmail.com 2009-04-01 16:00 ------- Created an attachment (id=297) --> (http://bugzilla.netfilter.org/attachment.cgi?id=297&action=view) Routing setup with TOS -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-01 14:00 UTC
[Bug 589] MARK doesn't work properly with incoming traffic
http://bugzilla.netfilter.org/show_bug.cgi?id=589 ------- Comment #2 from javier.galvez.guerrero at gmail.com 2009-04-01 16:00 ------- Created an attachment (id=298) --> (http://bugzilla.netfilter.org/attachment.cgi?id=298&action=view) Routing setup with MARK -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-01 14:01 UTC
[Bug 589] MARK doesn't work properly with incoming traffic
http://bugzilla.netfilter.org/show_bug.cgi?id=589 ------- Comment #3 from javier.galvez.guerrero at gmail.com 2009-04-01 16:01 ------- BTW, I'm using the 1.4.0 built-in iptables version of Ubuntu 8.10. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-05 11:48 UTC
[Bug 589] MARK doesn't work properly with incoming traffic
http://bugzilla.netfilter.org/show_bug.cgi?id=589 ------- Comment #4 from jengelh at medozas.de 2009-04-05 13:48 ------- There are lots of pitfalls in your script, some of them are shell script-related, others use-based, e.g. the SNAT rule is run rather unconditionally without an interface, and such use is prone to stuck connections. (How many more invocations of sudo do you need, eh?) -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-05 20:50 UTC
[Bug 589] MARK doesn't work properly with incoming traffic
http://bugzilla.netfilter.org/show_bug.cgi?id=589 ------- Comment #5 from javier.galvez.guerrero at gmail.com 2009-04-05 22:50 ------- (In reply to comment #4)> There are lots of pitfalls in your script, some of them are shell > script-related, others use-based, e.g. the SNAT rule is run rather > unconditionally without an interface, and such use is prone to stuck > connections. > > (How many more invocations of sudo do you need, eh?) >So, do you think the SNAT issue is related to the bug? How would you use the SNAT target in this case? -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-09 13:59 UTC
[Bug 589] MARK doesn't work properly with incoming traffic
http://bugzilla.netfilter.org/show_bug.cgi?id=589
jengelh at medozas.de changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge at netfilter.org |jengelh at medozas.de
------- Comment #6 from jengelh at medozas.de 2009-04-09 15:59 -------
Ideally SNAT is used together with the -o option to limit it to a given
interface, otherwise you will be NATing all outgoing connections with the same
address. But since you are in two different networks this would mean that you
are using a mismatching address for at least one network.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.