I'm having a problem transferring iptables connection tracking (conntrack) marks to Netfilter marks. I'm trying to use the 'conntrack' tool (from conntrack-tools) to update conntrack mark values on ESTABLISHED connections, then use iptables to monitor those mark values via the connmark module and transfer the mark values to the packet as it is handed off to Netfilter. A tc filter exists which is supposed
to look for packets with certain fwmark's, and drop them into their corresponding qdisc.
Here are the rules I'm using:
-t mangle -A POSTROUTING -j CONNMARK --restore-mark
-t mangle -A POSTROUTING -m connmark --mark 0x5 -j MARK --set-mark 0x5
-t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -L -v
qdisc add dev eth0 root handle 1: prio
qdisc add dev eth0 parent 1:2 handle 12: htb
filter add dev eth0 parent 12: protocol ip prio 1 handle 5 fw flowid 12:5
class add dev eth0 parent 12: classid 12:5 htb rate 56kbit
qdisc add dev eth0 parent 12:5 handle 5: sfq perturb 10
shows packets matching the rules, but the tc qdisc counters for 12:5 are not incrementing, which would show packets are entering the qdisc.
I've tried to do some debugging by MARKing all packets for a single host in iptables, but even that gives me some problems.
This doesn't work:
-t mangle -A POSTROUTING -s 192.168.101.61 -j MARK --set-mark 5
But this does:
$IPSET --create testhost nethash
$IPSET --add testhost 192.168.101.61/32
-t mangle -A POSTROUTING -m set --set testhost src -j MARK --set-mark 5
Obviously there's something that I don't understand about iptables and/or netfilter. Any help would be greatly appreciated.