lartc@manchotnetworks.net
2003-Jul-09 11:38 UTC
marking in OUTPUT --mangle; locally generated packets and route lookup - broken?
hello all, i have come accross a curious issue: +----------------------+ +---------------+ | eth1 192.168.1.1 |------------| 192.168.1.250 | | eth1:1 192.168.1.101 | | | +----------------------+ +---------------+ iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2 ip rule add fwmark 0x2 table 2 ip route add 192.168.1.0/24 dev eth1 src 192.168.1.101 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.1 ip rule add to 192.168.1.250 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.101 are there issues concerning the marking of OUTPUT packets generated on the local box that i should be aware of? many, many thanks charles _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Patrick McHardy
2003-Jul-13 21:43 UTC
Re: marking in OUTPUT --mangle; locally generated packets and route lookup - broken?
I tested your setup and it works fine (with 2.5 though). Are you sure you have CONFIG_IP_ROUTE_FWMARK enabled for your running kernel ? ip rule won''t give errors if not .. Bye Patrick lartc@manchotnetworks.net wrote:>hello all, > >i have come accross a curious issue: > >+----------------------+ +---------------+ >| eth1 192.168.1.1 |------------| 192.168.1.250 | >| eth1:1 192.168.1.101 | | | >+----------------------+ +---------------+ > > >iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2 >ip rule add fwmark 0x2 table 2 >ip route add 192.168.1.0/24 dev eth1 src 192.168.1.101 table 2 >ip route flush cache > > >telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.1 > > >ip rule add to 192.168.1.250 table 2 >ip route flush cache > > >telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.101 > > > >are there issues concerning the marking of OUTPUT packets generated on >the local box that i should be aware of? > > >many, many thanks > >charles > > > > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
lartc@manchotnetworks.net
2003-Jul-15 07:59 UTC
Re: marking in OUTPUT --mangle; locally generated packets and route lookup - broken?
Hi Patrick, Sincere thanks for your time & help!> i assume you mean CONFIG_IP_ROUTE_FWMARK and not > CONFIG_IP_NF_TARGET_MARK.Yup -- sorry!> i would start with putting some printks in ipt_local_hook > (net/ipv4/netfilter/iptable_mangle.c) before the call to ip_route_me_harder > and in ip_route_me_harder (net/core/netfilter.c) itself.Trying this today ... Kindest Regards Charles Shick _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/