Cannot use iptables with --set-mark 1

Hi there, my first post...

device: Mikrotik hAP ac2 Router

firmware: 21.02.3 / 22.03.0

I am trying to use the --set-mark via iptables, I need to using that with

ip rule add fwmark 1 lookup 100

after I execute the command

iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 1

I check with

iptables -t mangle -S

it will show me

iptables -t mangle -A OUTPUT -p tcp -j MARK --set-xmark 0x1/0xffffffff

I tried with both 21.02.3 / 22.03.0 version, same result.

It is a very weird bug, or maybe I just do not understand the openwrt iptables mechanism well enough.

in case anyone can translate the "script" using Netfilter or other ways to work around this "bug", here is the whole script

ip rule add fwmark 1 lookup 100
ip route add local dev lo table 100

iptables -t mangle -F
iptables -t mangle -A PREROUTING -d -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -j TPROXY --tproxy-mark 0x1/0x1 --on-port 10809
iptables -t mangle -A PREROUTING -p udp -j TPROXY --tproxy-mark 0x1/0x1 --on-port 10809
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A OUTPUT -d -j ACCEPT
iptables -t mangle -N DIVERT_OUT
iptables -t mangle -A OUTPUT -m socket -j DIVERT_OUT
iptables -t mangle -A DIVERT_OUT -j MARK --set-mark 1
iptables -t mangle -A DIVERT_OUT -j ACCEPT

It is normal that --set-mark gets translated into --set-xmark. The option --set-mark N is short hand notation for --set-xmark N/0xffffffff.

Hi jow

can you clarify it is the exact same thing?

from what I read

This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.

--set-xmark value[/mask]
Zeroes out the bits given by mask and XORs value into the packet mark ("nfmark"). If mask is omitted, 0xFFFFFFFF is assumed.

--set-mark value[/mask]
Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed.


they are not the same

I was afraid the fwmark will not be able to pick up the mark from the xmark. And clearly I don't have enough knowledge to debug the "mark"

I am debgging a complex proxy set up, the last thing I would want is putting some code which I am not 100% sure. It is a long story...

anyhow please shine some lights on it.

thanks for the help

Well still have not really figured out the difference between XOR and OR
However I did find a easy way to debug the problem

iptables  -t nat -I INPUT  -m mark ! --mark 0 -m limit --limit 12/min --limit-burst 30 -j LOG --log-prefix "tproxy-input"

iptables -t nat -I OUTPUT -m mark ! --mark 0 -m limit --limit 12/min --limit-burst 30 -j LOG --log-prefix "tproxy-output"


dmesg -c

dmesg | grep -e 'tproxy-input.*0xff'

dmesg | grep -e 'tproxy-output.*0xff'

If any "top-guns" feel like put those XOR / OR in layman term, plz do so.

after some painful digging

I kinda understood why the --set-xmark ≈ --set-mark

XOR / OR are different operator in binary, when the initial packet mark is all 0, and the result would be the same. However is the initial is not all zero, the result would be different.

Here is a good resources for explain all the marks stuff, took me an hour to find it, well this kinda of stuff just not gonna digest well in my system...

Hopefully could help someone looking into the same problem

Packet Marking using /etc/shorewall/mangle and /etc/shorewall/tcrules

let me add the more accurate man page since the version of the iptables is 1.8.7

iptables-extensions(8) — Linux manual page


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.