ip rule with fwmark not working in 2.6.31?

ip rule with fwmark not working in 2.6.31?

Post by Konstantinos Agouro » Mon, 21 Dec 2009 18:22:40



Hi,

I have a setup where I do policy routing based on a mangle-table with
ip rule fwmark. This worked until 2.6.30 with 2.6.31 ip rule does work
eg with a source address
ip rule from 1.2.3.4 lookup 1
but not with
ip rule from all fwmark 0x01 lookup 1
The problem is, that the answer packets are dropped. I use CONNMARK in the
iptables rules. Anybody has an idea if there was a change from 2.6.30 to
2.6.31?

Konstantin
--

Altersheimerstr. 1, 81545 Muenchen, Germany. Tel +49 89 69370185
----------------------------------------------------------------------------
"Captain, this ship will not survive the forming of the cosmos." B'Elana Torres

 
 
 

ip rule with fwmark not working in 2.6.31?

Post by Pascal Hambour » Tue, 22 Dec 2009 23:52:34


Hello,

Konstantinos Agouros a crit :

Quote:

> I have a setup where I do policy routing based on a mangle-table with
> ip rule fwmark. This worked until 2.6.30 with 2.6.31 ip rule does work
> eg with a source address
> ip rule from 1.2.3.4 lookup 1
> but not with
> ip rule from all fwmark 0x01 lookup 1
> The problem is, that the answer packets are dropped. I use CONNMARK in the
> iptables rules. Anybody has an idea if there was a change from 2.6.30 to
> 2.6.31?

Maybe you have been hit by the same as this :
<http://www.spinics.net/lists/netfilter/msg47119.html>

If reverse path filtering is enabled (sysctl
net.ipv4.conf.<interface>.rp_filter=1), try to disable it for both "all"
and the involved interfaces.

 
 
 

ip rule with fwmark not working in 2.6.31?

Post by Konstantinos Agouro » Thu, 24 Dec 2009 06:14:08



Quote:>Hello,
>Konstantinos Agouros a crit :

>> I have a setup where I do policy routing based on a mangle-table with
>> ip rule fwmark. This worked until 2.6.30 with 2.6.31 ip rule does work
>> eg with a source address
>> ip rule from 1.2.3.4 lookup 1
>> but not with
>> ip rule from all fwmark 0x01 lookup 1
>> The problem is, that the answer packets are dropped. I use CONNMARK in the
>> iptables rules. Anybody has an idea if there was a change from 2.6.30 to
>> 2.6.31?
>Maybe you have been hit by the same as this :
><http://www.spinics.net/lists/netfilter/msg47119.html>
>If reverse path filtering is enabled (sysctl
>net.ipv4.conf.<interface>.rp_filter=1), try to disable it for both "all"
>and the involved interfaces.

I already fell back to 2.6.30 but will try in a VM if this is the issue
but it would make perfect sense, as the behaviour described in the link
matches perfectly what I have seen here. Was there a change in 2.6.31
on the default setting of this parameter?

Konstantin
--

Altersheimerstr. 1, 81545 Muenchen, Germany. Tel +49 89 69370185
----------------------------------------------------------------------------
"Captain, this ship will not survive the forming of the cosmos." B'Elana Torres

 
 
 

ip rule with fwmark not working in 2.6.31?

Post by Pascal Hambour » Thu, 24 Dec 2009 19:19:36


Konstantinos Agouros a crit :

Quote:

>> <http://www.spinics.net/lists/netfilter/msg47119.html>

>> If reverse path filtering is enabled (sysctl
>> net.ipv4.conf.<interface>.rp_filter=1), try to disable it for both "all"
>> and the involved interfaces.

> I already fell back to 2.6.30 but will try in a VM if this is the issue
> but it would make perfect sense, as the behaviour described in the link
> matches perfectly what I have seen here. Was there a change in 2.6.31
> on the default setting of this parameter?

Not AFAIK. But some distribution startup scripts may modify it, e.g.
through /etc/sysctl.conf (as a remainder, note that the current value
and changes of net.ipv4.conf.default.rp_filter are applied to newly
created and existing inactive, i.e. not UP, interfaces).

As I wrote in the last message of the thread, the change was in the way
net.ipv4.conf.<interface>.rp_filter and net.ipv4.conf.all.rp_filter are
combined to produce the functional value. It was a logical AND,
requiring that both are set to enable the feature on <interface>, and
became an arithmetic MAX, requiring that either is set to enable the
feature on <interface>. As a result, if only one is set, then changing
from kernel 2.6.30 to kernel 2.6.31 changes the functional behaviour.

 
 
 

1. 2.6.31 and connmark restore are not really working for fwmarking and policy routing

Sorry for the long subject. I do the following:

ip rule from all fwmark 0x10 lookup table 1

iptables -t mangle -A PREROUTING -s 192.168.1.1 -p tcp --dport 80 -j CONNMARK --set-mark 0x10
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark --mask 0xff

I already used the TRACE target for a testing address and what I see is,
that the answer packets go through prerouting and at the end have the
correct mark but are never allowed to the FORWARD queue. The same rules were
working in 2.6.30. Has there been some change? Is there a known bug?

Regards,

Konstantin
--

Altersheimerstr. 1, 81545 Muenchen, Germany. Tel +49 89 69370185
----------------------------------------------------------------------------
"Captain, this ship will not survive the forming of the cosmos." B'Elana Torres

2. mandrake 8.1 and windows XP

3. using fwmark routing rule on 2.2.x kernel

4. extracting EMAIL addresses from a text file

5. IP Accounting doesn't work for PPP dial-ins :-(( ??

6. /etc/printcap HP4ML

7. NFS, rsize/wsize, 2.0.[30,31] NOT working

8. Problem about jiffies

9. Plug-ins not not seen by Gimp

10. Jumpstart issue: Could not find matching rule in rules.ok

11. IPtables rules to block by symbolic host name, not IP ?

12. PPP working, /etc/ppp/ip-up not working, HELP Please

13. install rule not working