tc don't see marked with -j MARK packets

linux iptables tc
6,217

The problem you're experiencing with the MARK IPTABLES target not working as expected was caused by a missing kernel module which enables that specific Netfilter functionality. In order to use the MARK target, you need to load the XT_MARK module which must be compiled with the Linux kernel.

Check your kernel config for CONFIG_NETFILTER_... items and ensure that ...XT_MARK and its prerequisites are compiled. If the XT_MARK item was compiled as a module, you'll need to load it with modprobe xt_mark.

Share:
6,217

Related videos on Youtube

Yusr Safour
Author by

Yusr Safour

Updated on September 18, 2022

Comments

  • Yusr Safour
    Yusr Safour over 1 year

    Server has 2 network interfaces:

    • eth1 with address 13.0.0.254/24
    • eth0 with address 172.20.203.4/24.

    It's routing traffic between this two networks. Task is to limit bandwidth between this two networks to 1Vbit/sec, but not to limit bandwidth between server and network hosts(i. e. limit all packets going though FORWARD)

    iptables -t mangle -A POSTROUTING -s 13.0.0.0/24 -d 172.20.203.0/24 -j MARK --set-mark 0x0001
iptables -t mangle -A POSTROUTING -s 172.20.203.0/24 -d 13.0.0.0/24 -j MARK --set-mark 0x0002

# eth1
tc qdisc add dev eth1 root handle 1:0 htb default 2

tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1000mbps ceil 1000mbps
tc class add dev eth1 parent 1:1 classid 1:2 htb rate 999mbps ceil 1000mbps
tc class add dev eth1 parent 1:1 classid 1:3 htb rate 1mbps

tc qdisc add dev eth1 parent 1:2 handle 2:0 sfq perturb 10
tc qdisc add dev eth1 parent 1:3 handle 3:0 sfq perturb 10

tc filter add dev eth1 parent 1:0 handle 1 fw flowid 1:3
tc filter add dev eth1 parent 1:0 handle 2 fw flowid 1:3

# eth0
tc qdisc add dev eth0 root handle 1:0 htb default 2

tc class add dev eth0 parent 1:0 classid 1:1 htb rate 1000mbps ceil 1000mbps
tc class add dev eth0 parent 1:1 classid 1:2 htb rate 999mbps ceil 1000mbps
tc class add dev eth0 parent 1:1 classid 1:3 htb rate 1mbps

tc qdisc add dev eth0 parent 1:2 handle 2:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:3 handle 3:0 sfq perturb 10

tc filter add dev eth0 parent 1:0 handle 2 fw flowid 1:3
tc filter add dev eth0 parent 1:0 handle 1 fw flowid 1:3

    This doesn't work. If I use this at the beginning:

    tc qdisc add dev eth1 root handle 1:0 htb default 3
tc qdisc add dev eth0 root handle 1:0 htb default 3

    it works. So problem is in filter settings.

    iptables -L -v -n -t mangle

    shows, that packets are going though MARK rules. I tried to mark packets not in POSTROUTING, but in FORWARD or PREROUTING - this does not work too. What am I doing wrong?

    Here is some diagnostics:

    # tc -s -d -r filter show dev eth0
filter parent 1: protocol [768] pref 49151 fw
filter parent 1: protocol [768] pref 49151 fw handle 0x1 classid 1:3
filter parent 1: protocol [768] pref 49152 fw
filter parent 1: protocol [768] pref 49152 fw handle 0x2 classid 1:3
# tc -s -d -r filter show dev eth1
filter parent 1: protocol [768] pref 49151 fw
filter parent 1: protocol [768] pref 49151 fw handle 0x2 classid 1:3
filter parent 1: protocol [768] pref 49152 fw
filter parent 1: protocol [768] pref 49152 fw handle 0x1 classid 1:3

    Kernel config:

    /boot # uname -a
Linux armada-sc-02 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64 GNU/Linux
/boot # grep CONFIG_IP_MULTIPLE_TABLES config-2.6.32-5-amd64
CONFIG_IP_MULTIPLE_TABLES=y
/boot # grep CONFIG_IP_ADVANCED_ROUTER config-2.6.32-5-amd64
CONFIG_IP_ADVANCED_ROUTER=y
/boot # grep CONFIG_IP_ROUTE_FWMARK config-2.6.32-5-amd64
    • Sean C.
      Sean C. over 11 years
      Is the Linux kernel configured with fwmark support? Per tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html you need CONFIG_IP_ADVANCED_ROUTER, CONFIG_IP_MULTIPLE_TABLES and CONFIG_IP_ROUTE_FWMARK.
    • Sean C.
      Sean C. over 11 years
      Try grep IP_NF /boot/config-2.6.32-5-amd64, grep NETFILTER /boot/config-2.6.32-5-amd64, grep CONNMARK /boot/config-2.6.32-5-amd64. I'm not sure what the exact option would be, but from reading it appears that things have changed since 2.6.20. In 3.5 it's CONFIG_NETFILTER_XT_MARK.
    • Yusr Safour
      Yusr Safour over 11 years
      modprobe xt_mark helped. Thank you very much! Write an answer and I'll accept it
    • Sean C.
      Sean C. over 11 years
      I wrote up an answer. Feel free to add any edits you like and I'm glad I was able to help.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

tc on bridge port
OpenVPN Variables Passed via Script
How to fix “iptables: No chain/target/match by that name”?
How to make all outgoing RST drop
Allow ssh incoming/outgoing and blocking all outgoing besides specific ports
iptables redirect from external interface to loopback's port?
Linux as router with multiple internet providers
iptables port-mirroring
iptables drop all incoming ICMP requests except from one IP
How to disable `iptables` automatic reverse DNS lookup?