bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-06 15:19 UTC
[Bug 747] New: IPtables marked packets not being inpsected in NAT table.
http://bugzilla.netfilter.org/show_bug.cgi?id=747 Summary: IPtables marked packets not being inpsected in NAT table. Product: iptables Version: CVS (please indicate timestamp) Platform: All OS/Version: All Status: NEW Severity: major Priority: P3 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: relay at ericavijay.net Estimated Hours: 0.0 Here is the description of the issue, that I was able to reproduce. A bandwidth based router was setup to push data based on bandwidth to various daemons on the same machine. The modules used are "limit", "mark" and "redirect" The logic at the mangle tables is to mark packets at 100 pkt per second with mark "02" the next 100 pkts per second with mark "03" the logic at the NAT table to REDIRECT these packets to port 515, 516 and so on respectively. Here is what my iptables looks like # Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011 *raw :PREROUTING ACCEPT [376977:223804194] :OUTPUT ACCEPT [2336:364875] COMMIT # Completed on Tue Sep 6 11:15:41 2011 # Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011 *filter :INPUT ACCEPT [243453:140022777] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [6891:2265445] -A INPUT -p udp -m udp --dport 514 -j ACCEPT -A INPUT -p udp -m udp --dport 515 -j ACCEPT -A INPUT -p udp -m udp --dport 516 -j ACCEPT -A INPUT -p udp -m udp --dport 517 -j ACCEPT -A INPUT -p udp -m udp --dport 518 -j ACCEPT COMMIT # Completed on Tue Sep 6 11:15:41 2011 # Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011 *nat :PREROUTING ACCEPT [2501:337926] :POSTROUTING ACCEPT [687:46247] :OUTPUT ACCEPT [687:46247] -A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x2 -j REDIRECT --to-ports 515 -A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x3 -j REDIRECT --to-ports 516 -A PREROUTING -p udp -m udp --dport 514 -m mark --mark 0x4 -j REDIRECT --to-ports 517 COMMIT # Completed on Tue Sep 6 11:15:41 2011 # Generated by iptables-save v1.4.4 on Tue Sep 6 11:15:41 2011 *mangle :PREROUTING ACCEPT [702123:418010059] :INPUT ACCEPT [702012:417948640] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5748:2083267] :POSTROUTING ACCEPT [5759:2084048] -A PREROUTING -p udp -m udp --dport 514 -m limit --limit 200/sec -j MARK --set-xmark 0x2/0xffffffff -A PREROUTING -p udp -m udp --dport 514 -m limit --limit 200/sec -j RETURN -A PREROUTING -p udp -m udp --dport 514 -m limit --limit 303/sec -j MARK --set-xmark 0x3/0xffffffff -A PREROUTING -p udp -m udp --dport 514 -m limit --limit 303/sec -j RETURN -A PREROUTING -p udp -m udp --dport 514 -m limit --limit 400/sec -j MARK --set-xmark 0x4/0xffffffff -A PREROUTING -p udp -m udp --dport 514 -m limit --limit 400/sec -j RETURN -A PREROUTING -p udp -m udp --dport 514 -j LOG --log-prefix "Feed_Me_More: " COMMIT # Completed on Tue Sep 6 11:15:41 2011 When I push events that exceed the first 100 pkts/sec ount, the marking happens properly but the "NAT" table does not read the marked packets properly. Here is a packet counts to show this behavior. root at europeanroller:~# iptables -t mangle -nvL PREROUTING Chain PREROUTING (policy ACCEPT 2052 packets, 1205K bytes) pkts bytes target prot opt in out source destination 437 264K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 limit: avg 200/sec burst 5 MARK xset 0x2/0xffffffff 437 264K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 limit: avg 200/sec burst 5 657 397K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 limit: avg 303/sec burst 5 MARK xset 0x3/0xffffffff 657 397K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 limit: avg 303/sec burst 5 853 516K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 limit: avg 400/sec burst 5 MARK xset 0x4/0xffffffff 853 516K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 limit: avg 400/sec burst 5 39 23583 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 LOG flags 0 level 4 prefix `Feed_Me_More: ' root at europeanroller:~# iptables -t nat -nvL PREROUTING Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 28 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 mark match 0x2 redir ports 515 0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 mark match 0x3 redir ports 516 0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 mark match 0x4 redir ports 517 Please let me know if this bug can be tested and fixed. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-08 14:44 UTC
[Bug 747] IPtables marked packets not being inpsected in NAT table.
http://bugzilla.netfilter.org/show_bug.cgi?id=747 Jan Engelhardt <jengelh at medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jengelh at medozas.de AssignedTo|netfilter- |jengelh at medozas.de |buglog at lists.netfilter.org | -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Sep-08 14:46 UTC
[Bug 747] IPtables marked packets not being inpsected in NAT table.
http://bugzilla.netfilter.org/show_bug.cgi?id=747 Jan Engelhardt <jengelh at medozas.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #1 from Jan Engelhardt <jengelh at medozas.de> 2011-09-08 16:46:30 --- I hope that you are aware that the NAT table is merely a configuration database that is not called for each packet, but only ones that initiate new NFCT connections. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Seemingly Similar Threads
- [Bug 712] New: iptables-save does not save correcly rateest bps parameter
- [Bug 713] New: CPPFLAGS are mishandled which breaks non-shared targets
- [Bug 732] New: Iptables 1.4.11 or 1.4.12 does not compile on CentOS 5.6
- [Bug 720] New: iptables no longer compiles for Linux 2.4 because it uses linux/magic.h
- [Bug 727] New: Open your firewall by a simple typo