Topic: connmark problems in WhiteRussian

The content of this topic has been archived on 12 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

netprince

19 Oct 2006, 04:56

I've been testing out the whiterussian SVN for the purpose of upgrading my router from RC3. My ISP blocks outgoing port 25 (and others), so I have an openVPN tunnel running to another site that does not block outgoing port 25. I can then mark tcp connections going out on port 25 and send them down the tunnel using an ip route.

The following code works great in RC3, but does not work with recent WR SVN.

IPT_NOMARK="-m mark --mark 0"
IPT_MARKED="-m mark ! --mark 0"

IPT -t mangle -A PREROUTING $IPT_NOMARK -j CONNMARK --restore-mark
IPT -t mangle -A PREROUTING $IPT_MARKED -j ACCEPT

# Outgoing SMTP connections via Tunnel (mark 1)
IPT -t mangle -A PREROUTING -i $TUN_IF $IPT_NOMARK -j MARK --set-mark 0x1
IPT -t mangle -A PREROUTING -d ! $VPN_HST_IP -p tcp --dport 25 \
  $IPT_NOMARK -j MARK --set-mark 0x1

IPT -t mangle -A PREROUTING $IPT_MARKED -j CONNMARK --save-mark

    echo "Configuring Policy Routes..."
    /usr/sbin/ip rule del fwmark 1 from $DP_IP/24 table 1
    /usr/sbin/ip route flush table 1
    /usr/sbin/ip route add default via $TUN_SRV_IP dev $TUN_IF table 1
    /usr/sbin/ip rule add fwmark 1 from $DP_IP/24 table 1
    /usr/sbin/ip route flush cache

On the tunnel interface, I can watch the tcp session with tcpdump. The first packet gets sent correctly, and packets return correctly, but no more packets get sent. I tried many different combinations of the above code, nothing helped.

Is anyone else using connection marking with the recent WR SVN?

Post #2

netprince

20 Oct 2006, 21:01

Ok, I have spent more time trying to figure this out. It looks like the packets are being marked correctly, here's what I used to figure this out:

IPT_NOMARK="-m mark --mark 0"
IPT_MARKED="-m mark ! --mark 0"

IPT -t mangle -A PREROUTING $IPT_NOMARK -j CONNMARK --restore-mark
IPT -t mangle -A PREROUTING -m mark --mark 0x1 -p tcp --dport 25 -j LOG
IPT -t mangle -A PREROUTING $IPT_NOMARK -p tcp --dport 25 -j MARK --set-mark 0x1
IPT -t mangle -A PREROUTING $IPT_MARKED -j CONNMARK --save-mark

The logs show my outgoing packets. I checked the default route with tcpdump, and they are being sent out the default interface. Its like the routing code is ignoring the firewall marks. So then I tried connecting from the router, using the following code:

# Local connections outbound to port 25
IPT -t mangle -A OUTPUT -o $WAN_IF $IPT_NOMARK -j CONNMARK --restore-mark
IPT -t mangle -A OUTPUT -o $WAN_IF -p tcp --dport 25 -j MARK --set-mark 0x1
IPT -t mangle -A OUTPUT -o $WAN_IF $IPT_MARKED -j CONNMARK --save-mark

It works perfectly! So why doesn't it work when forwarding packets???

(Last edited by netprince on 21 Oct 2006, 01:15)

Post #3

netprince

23 Oct 2006, 07:10

I installed WhiteRussian RC5, the scripts above work fine. IMO there is a bug introduced since RC5. I will try to build the latest WR SVN to see if it helps...

Post #4

netprince

23 Oct 2006, 14:59

Just tried out WR from SVN built today. The problem still exists. I'll post in TRAC shortly...

Post #5

netprince

17 Nov 2006, 19:59

Still a problem with RC6.

I am offering a bounty to the dev that can squash this bug. Please see the TRAC entry:

https://dev.openwrt.org/ticket/877

Post #6

netprince

7 Jan 2007, 02:44

I managed to work out a solution. I removed the 216-multiple_default_gateways.patch and everything works fine. I am not using any functionality from that patch, so its no big deal for me to remove it.

The discussion might have continued from here.

Page 1 of 1