Re: Help with packet marking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Thanks to all those who offered help. I have everything working now. Not entirely sure what happened. 2 things of note:

- I upgraded the kernel version  from 2.6.31-23 to 2.6.32-40
- I was setting /proc/sys/net/ipv4/conf/all/rp_filter to 0 which worked previously, however it would seem that in the newer kernels I have to also set all the interface values as well. I'm using multiple IPs per nic and not setting this causes the return packets to get lost in some instances.

The kernel change seemed to fix the packets going out of the wrong interface problem although I can't test this any more unfortunately - which does seem very odd. But maybe the 2 in combination caused it?

Thanks again

John


On 29/03/2012 15:55, Humberto Jucá wrote:
2012/3/29 John Lister<john.lister@xxxxxxxxxxxxxxx>:
It seems to be selecting the correct route using the marks as iptables
reports the correct interface in the log files.
However the packet then goes out of a different interface.
Show us all firewall and routing rules (at least the main)...
    iptables -t mangle -nL -v
    ip rule ls

This has always worked before, the default route is in the main table (maybe
not clear before) and is used so that
the box can route local packets out. Your example (below) would do the same
except skip the fwmark rules
Not exactly. In my example, to skip the fwmark process the destination
address must be known by the main table. And you dont need to treat
your essential routes in alternative tables (only default gw). For
this reason,  you couldnt use a default gw in main table (*my
example*).

But, i still not sure why your setup has stopped working.

Yes, sorry when doing the example missed off the -m state --state NEW bit...
I still find it strange that recently packets I'd expect to be in the NEW
state are ESTABLISHED. eg doing
ping blah
ping blah
results in the first outgoing packet being NEW, but the second ping is
ESTABLISHED, surely this is a bug?
Why you need to work with connection STATEs in firewall MARKs?

Tell me more about your configuration.
I can check your firewall confs if you open your ssh access for me
(send me account in pvt - if you like).


--
Get the PriceGoblin Browser Addon
www.pricegoblin.co.uk

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux