LARTC - Dec 2005 - Connmark question

I am trying to get IPP2P working on my router. Thus far I can see
connections being marked (see below), but they don''t seem to get saved
or something. When looking at /proc/net/ip_conntrack, nothing has
anything other than 0 for mark. The iptables commands for this are:

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -m ipp2p --bit --dc --edk -j MARK
--set-mark 3
iptables -t mangle -A PREROUTING -m mark --mark 3 -j CONNMARK
--save-mark
iptables -t mangle -A POSTROUTING -o ppp0 -m mark --mark 3 -j CLASSIFY
--set-class 1:50

This is pretty much a copy of one of the examples from the ipp2p web
site. When doing a iptables -t mangle -L -n -v -x, I get the following:


Chain PREROUTING (policy ACCEPT 7179 packets, 1787132 bytes)
    pkts      bytes target     prot opt in     out    source
destination
     799   161475 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           CONNMARK restore
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match !0x0
      28     4372 MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           ipp2p v0.7.4 --edk --dc --bit MARK set 0x3
      28     4372 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x3 CONNMARK save

Chain INPUT (policy ACCEPT 3388 packets, 610487 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 3789 packets, 1175165 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 2911 packets, 684078 bytes)
    pkts      bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 6757 packets, 1866938 bytes)
    pkts      bytes target     prot opt in     out     source
destination
      15     1752 CLASSIFY   all  --  *      ppp0    0.0.0.0/0
0.0.0.0/0           MARK match 0x3 CLASSIFY set 1:50

So I can see the packets are getting marked, or at least I see them
being matched. Just don''t know why the connection doesn''t get
shaped.
Here''s the stats from tc.

class htb 1:50 parent 1:1 leaf 50: prio 5 rate 325000bit ceil 650000bit
burst 1639b cburst 1680b
 Sent 1752 bytes 15 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 15 borrowed: 0 giants: 0
 tokens: 38314 ctokens: 19674

I am using kernel 2.6.11-6 and ipp2p 7.4 with iptables 1.2.9

For the benefit of everyone, this is a kernel bug. There is info on it
here: http://qa.mandriva.com/show_bug.cgi?id=13845

On Mon, 2005-12-05 at 21:29 +0800, Michael Collard
wrote:
> I am trying to get IPP2P working on my router. Thus far I can see
> connections being marked (see below), but they don''t seem to get
saved
> or something. When looking at /proc/net/ip_conntrack, nothing has
> anything other than 0 for mark. The iptables commands for this are:
> 
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A PREROUTING -m ipp2p --bit --dc --edk -j MARK
> --set-mark 3
> iptables -t mangle -A PREROUTING -m mark --mark 3 -j CONNMARK
> --save-mark
> iptables -t mangle -A POSTROUTING -o ppp0 -m mark --mark 3 -j CLASSIFY
> --set-class 1:50
> 
> This is pretty much a copy of one of the examples from the ipp2p web
> site. When doing a iptables -t mangle -L -n -v -x, I get the following:
> 
> 
> Chain PREROUTING (policy ACCEPT 7179 packets, 1787132 bytes)
>     pkts      bytes target     prot opt in     out    source
> destination
>      799   161475 CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           CONNMARK restore
>        0        0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK match !0x0
>       28     4372 MARK       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ipp2p v0.7.4 --edk --dc --bit MARK set 0x3
>       28     4372 CONNMARK   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           MARK match 0x3 CONNMARK save
> 
> Chain INPUT (policy ACCEPT 3388 packets, 610487 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
> 
> Chain FORWARD (policy ACCEPT 3789 packets, 1175165 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
> 
> Chain OUTPUT (policy ACCEPT 2911 packets, 684078 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
> 
> Chain POSTROUTING (policy ACCEPT 6757 packets, 1866938 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>       15     1752 CLASSIFY   all  --  *      ppp0    0.0.0.0/0
> 0.0.0.0/0           MARK match 0x3 CLASSIFY set 1:50
> 
> So I can see the packets are getting marked, or at least I see them
> being matched. Just don''t know why the connection doesn''t
get shaped.
> Here''s the stats from tc.
> 
> class htb 1:50 parent 1:1 leaf 50: prio 5 rate 325000bit ceil 650000bit
> burst 1639b cburst 1680b
>  Sent 1752 bytes 15 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>  lended: 15 borrowed: 0 giants: 0
>  tokens: 38314 ctokens: 19674
> 
> I am using kernel 2.6.11-6 and ipp2p 7.4 with iptables 1.2.9
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc