bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-06 15:19 UTC
[Bug 747] New: IPtables marked packets not being inpsected in NAT table.
http://bugzilla.netfilter.org/show_bug.cgi?id=747
Summary: IPtables marked packets not being inpsected in NAT
table.
Product: iptables
Version: CVS (please indicate timestamp)
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P3
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: relay at ericavijay.net
Estimated Hours: 0.0
Here is the description of the issue, that I was able to reproduce.
A bandwidth based router was setup to push data based on bandwidth to various
daemons on the same machine. The modules used are "limit",
"mark" and
"redirect"
The logic at the mangle tables is to mark packets at 100 pkt per second with
mark "02"
the next 100 pkts per second with mark "03"
the logic at the NAT table to REDIRECT these packets to port 515, 516 and so on
respectively.
Here is what my iptables looks like
# Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011
*raw
:PREROUTING ACCEPT [376977:223804194]
:OUTPUT ACCEPT [2336:364875]
COMMIT
# Completed on Tue Sep 6 11:15:41 2011
# Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011
*filter
:INPUT ACCEPT [243453:140022777]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6891:2265445]
-A INPUT -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -p udp -m udp --dport 515 -j ACCEPT
-A INPUT -p udp -m udp --dport 516 -j ACCEPT
-A INPUT -p udp -m udp --dport 517 -j ACCEPT
-A INPUT -p udp -m udp --dport 518 -j ACCEPT
COMMIT
# Completed on Tue Sep 6 11:15:41 2011
# Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011
*nat
:PREROUTING ACCEPT [2501:337926]
:POSTROUTING ACCEPT [687:46247]
:OUTPUT ACCEPT [687:46247]
-A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x2 -j REDIRECT
--to-ports 515
-A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x3 -j REDIRECT
--to-ports 516
-A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x4 -j REDIRECT
--to-ports 517
COMMIT
# Completed on Tue Sep 6 11:15:41 2011
# Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011
*mangle
:PREROUTING ACCEPT [702123:418010059]
:INPUT ACCEPT [702012:417948640]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5748:2083267]
:POSTROUTING ACCEPT [5759:2084048]
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 200/sec -j MARK
--set-xmark 0x2/0xffffffff
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 200/sec -j RETURN
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 303/sec -j MARK
--set-xmark 0x3/0xffffffff
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 303/sec -j RETURN
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 400/sec -j MARK
--set-xmark 0x4/0xffffffff
-A PREROUTING -p udp -m udp --dport 514 -m limit --limit 400/sec -j RETURN
-A PREROUTING -p udp -m udp --dport 514 -j LOG --log-prefix "Feed_Me_More:
"
COMMIT
# Completed on Tue Sep 6 11:15:41 2011
When I push events that exceed the first 100 pkts/sec ount, the marking happens
properly but the "NAT" table does not read the marked packets
properly. Here
is a packet counts to show this behavior.
root at europeanroller:~# iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 2052 packets, 1205K bytes)
pkts bytes target prot opt in out source destination
437 264K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 limit: avg 200/sec burst 5 MARK xset 0x2/0xffffffff
437 264K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 limit: avg 200/sec burst 5
657 397K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 limit: avg 303/sec burst 5 MARK xset 0x3/0xffffffff
657 397K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 limit: avg 303/sec burst 5
853 516K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 limit: avg 400/sec burst 5 MARK xset 0x4/0xffffffff
853 516K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 limit: avg 400/sec burst 5
39 23583 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 LOG flags 0 level 4 prefix `Feed_Me_More: '
root at europeanroller:~# iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 28 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 mark match 0x2 redir ports 515
0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 mark match 0x3 redir ports 516
0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:514 mark match 0x4 redir ports 517
Please let me know if this bug can be tested and fixed.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-08 14:44 UTC
[Bug 747] IPtables marked packets not being inpsected in NAT table.
http://bugzilla.netfilter.org/show_bug.cgi?id=747
Jan Engelhardt <jengelh at medozas.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jengelh at medozas.de
AssignedTo|netfilter- |jengelh at medozas.de
|buglog at lists.netfilter.org |
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-08 14:46 UTC
[Bug 747] IPtables marked packets not being inpsected in NAT table.
http://bugzilla.netfilter.org/show_bug.cgi?id=747
Jan Engelhardt <jengelh at medozas.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Jan Engelhardt <jengelh at medozas.de> 2011-09-08
16:46:30 ---
I hope that you are aware that the NAT table is merely a configuration database
that is not called for each packet, but only ones that initiate new NFCT
connections.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Maybe Matching Threads
- [Bug 712] New: iptables-save does not save correcly rateest bps parameter
- [Bug 713] New: CPPFLAGS are mishandled which breaks non-shared targets
- [Bug 732] New: Iptables 1.4.11 or 1.4.12 does not compile on CentOS 5.6
- [Bug 720] New: iptables no longer compiles for Linux 2.4 because it uses linux/magic.h
- [Bug 727] New: Open your firewall by a simple typo