Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 295934 - Policy routing with fwmark fails
Summary: Policy routing with fwmark fails
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-06 09:58 UTC by Konstantin Agouros
Modified: 2009-12-31 08:52 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Agouros 2009-12-06 09:58:47 UTC 
After the upgrade to 2.6.31-r6 policy routing fails, because the answer packets are not forwarded.

Simple setup:

iptables -t mangle -I PREROUTING -s internal-address -d external-address -j CONNMARK --set-mark 0x11
iptables -t mangle -A PREROUTING -j CONNMARK --connmark-restore

ip rule add from all fwmark 0x11 lookup 1

Table 1 has a different defaultroute than nothing tagged

What happens: packets get out the right way, return packets don't go past the router. 

I enabled iptables tracing and this shows, that the right mark is set on the answer-packet but it does not jump into the forward queue. 

Same setup worked on 2.6.30-r7 Did anything change on the behaviour so I need
to change the setup?

Reproducible: Always

Steps to Reproduce:
1. see description
2.
3.

Actual Results:  
see description

Expected Results:  
see description

Portage 2.1.6.13 (default/linux/x86/10.0, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.31-gentoo-r6 i686)
=================================================================
System uname: Linux-2.6.31-gentoo-r6-i686-Pentium_III_-Coppermine-with-gentoo-1.12.13
Timestamp of tree: Sat, 05 Dec 2009 17:00:01 +0000
distcc 3.1 i686-pc-linux-gnu [enabled]
app-shells/bash:     4.0_p35
dev-lang/python:     2.5.4-r3, 2.6.4
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium3 -O3 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=pentium3 -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distcc distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl berkdb bzip2 caps cli cracklib crypt cups cxx dri fortran gdbm gpm iconv ipv6 ldap logrotate mbox mmx modules mudflap ncurses nls nosound nptl nptlonly old-crypt openmp pam pcre perl postgres pppd python readline reflection sensord session spl sse ssl sysfs tcpd unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 1 Eray Aslan gentoo-dev 2009-12-29 07:11:04 UTC 
(In reply to comment #0)
> Same setup worked on 2.6.30-r7 Did anything change on the behaviour so I need
> to change the setup?

* Try setting net.ipv4.conf.all.rp_filter to 0.  rp_filter changed from logical AND to arithmetic MAX in 2.6.31:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commitdiff;h=27fed4175acf81ddd91d9a4ee2fd298981f60295
* If it works, try "loose" reverse path filtering (rp_filter=2).  It is better than no reverse path filtering and should work in the above case.
* If it does not work, try kernel 2.6.32.  There are several commits that will affect multihomed setups.
Comment 2 Konstantin Agouros 2009-12-31 08:52:52 UTC 
rp_filter=2 solved the problem