search for: connmark

...y ACCEPT 8557K packets, 2822M bytes) pkts bytes target prot opt in out source destination 85574 24M p2ptraffic all -- * * 0.0.0.0/0 0.0.0.0/0 ................. Chain p2ptraffic (1 references) pkts bytes target prot opt in out source destination 11860 1620K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --ipp2p CONNMARK set 0xa 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --bit CONNMARK set 0xa 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.7.4 --...

Hi, as per the shorewall MultiISP documentation ( http://www1.shorewall.net/MultiISP.html ), it says "Use of this feature requires that your kernel and iptables include CONNMARK target and connmark match support (Warning: Standard Debian™ and Ubuntu™ kernels are lacking that support!)." it means MultiISP wont work properly if i am using Ubuntu server. if yes whats the workaround. -------------------------------- Swapnil Jain Indore ---------------------------...

Hello everybody. i have the folowing problem: i have this in the top of PREROUTING chain in mangle table iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 0 # rule 1 iptables -t mangle -A PREROUTING -m connmark --mark 5 # rule 2 iptables -t mangle -A PREROUTING -m connmark --mark 6 # rule 3 i think when packet is passing trough my POSTROUTING in mangle table it can''t match rule 2 or 3, but in the real...

Hey, one more question for ipp2p iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --s...

Hi all, Whenever I start up TC and implement traffic policing using ingress, I get logs that goes something like this: Classifier actions preferred over ingress. What does that mean?? This are the relevent lines : tc qdisc add dev $DEV handle ffff: ingress tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

I saw this snippet from Daniel Chemko dchemko@smgtec.com Mon, 31 May 2004 09:30:43 -0700 # Egress marking (mostly for QOS operations) iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -o ${if_inet} --dport 21 -j MARK --set-mark 0x111 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark I want to mark many packets, including FTP. So above these lines, I have a...

# iptables -t mangle -A POSTROUTING -m mark --mark ! 0 -j ACCEPT iptables v1.3.3: Bad MARK value `!'' I''m puzzled, what''s wrong with this syntax? kernel is 2.6.15.7-ubuntu1 Thanks Francesco

Hi, I''ve been implementing a load balancing solution using CONNMARK, based on solution described by Luciano Ruete at [1]. Gracias por el post y por apuntar en la dirección correcta Luciano! Once implemented, I''ve found that due to some reason packets aren''t properly marked (or improperly remarked) and sent out using the wrong interface. My topo...

...t IPP2P working on my router. Thus far I can see connections being marked (see below), but they don''t seem to get saved or something. When looking at /proc/net/ip_conntrack, nothing has anything other than 0 for mark. The iptables commands for this are: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -m ipp2p --bit --dc --edk -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -m mark --mark 3 -j CONNMARK --save-mark iptables -t mangle -A POSTROUTING -o ppp0 -m mark --mark 3 -j CLASSI...

Hello list, I just wonder if someone did any performance tests (speed of processing the packets) or maybe could advise about this two scenario: 1. packets are marked with iptables and processed by tc using filters 2. packets are sent by iptables directly to tc using CLASSIFY chain, thus avoiding the tc filters I had some thinking about these two ways of dealing with egress traffic and my

Hi there, i have some questions regarding CONNMARK and STRING modules for netfilter. I have a stateful firewall doing contraking, because i have two dsl connections doing load balancing. I have found a way to discriminate KaZaA traffic flowing via port 80 from normal HTTP traffic using the string match. I want to mark a kazaa connection and fi...

-----Original Message----- From: Salim S I [mailto:salim.si@cipherium.com.tw] Sent: Thursday, May 10, 2007 5:22 PM To: ''Francis Brosnan Blazquez'' Subject: RE: [LARTC] Load balancing using connmark "I think the main advantage of shorewall solution is that it applies connmark to incoming packets from the wan as you point, leaving load balancing to outgoing connections to the main table" Actually, the main table/multipath route only routes the first packet of a connection. The subse...

Hi, I have a linux box which balances load between two interfaces ( say WAN1 and WAN2). I have masquerading on for any request coming from LAN to the outside world. The setup is in such a way that WAN1 drops packets with source ip belonging to WAN2''s network and viceversa. For some strange reason, I find that packet coming out from the WAN interface has source address of WAN2 and

https://bugzilla.netfilter.org/show_bug.cgi?id=1128 Bug ID: 1128 Summary: ip6_tables connmark or connlabel never matches Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: SuSE Linux Status: NEW Severity: normal Priority: P5 Component: ip6_tables (kernel) Assignee: netfilter...

Hi! I''m wondering whether anyone has successfully set up a bandwidth control system using ipp2p and shorewall. I have been able to drop connecions altogether, but I don''t seem to be able to get CONNMARK working with ipp2p. Any pointers would be greatly appreciated :) ______________________________ Mario R. Pizzolanti

Hello, I have finished setting up the load balancer with IPROUTE ... also patch the kernel to support DGD and now it''s working fine with the valuable guide at LARTC website, Julian Anastasov, and the kind people in this mailing list. Now I would like to launch a web server and a ftp server to the public but I''m stuck into a problem and really need your help. Currently internal

https://bugzilla.netfilter.org/show_bug.cgi?id=968 Summary: CONNMARK failing open silently? Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: Ubuntu Status: NEW Severity: normal Priority: P5 Component: nf_conntrack AssignedTo: netfilter-buglog at list...

Hi, I'm using IPSEC in a multi-ISP configuration, lsm 0.131, Kernel 2.6.32, ipsec-tools 0.8.0 This worked fine with Shorewall/Shorewall-Lite 4.5.7. After updating Shorewall to 4.5.8 the routing of ESP packets doesn't work. If I change the Providers.pm file and add connmark => "! --mark 0/$mask" like before in Shorewall 4.5.7 than everything works fine. add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/; Thank you...

...d with tcpdump. I send the packets with tcpreply. I had to create a bridge interface in order to enable the listening interface in promiscous mode and to classify the traffic mirrored to that. In this mode the traffic pass through the prerouting chain of the mangle table (on bridge). I want to used connmark for recognized flows, and I see the rules for iptables in the site of ipp2p. These are the four rules: 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2...

...--------------------------------------- Shorewall 3.4.0-RC1 Mangle Table at droopy - Thu Jan 25 12:06:47 GMT 2007 Counters reset Thu Jan 25 11:41:20 GMT 2007 Chain PREROUTING (policy ACCEPT 21911 packets, 7207K bytes) pkts bytes target prot opt in out source destination 215 36310 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match !0x0/0xff CONNMARK restore mask 0xff 648 69251 routemark 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xff 647 69125 tcpre 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 21873 7205K tcpre 0...