Packet flow, queue tree mangle bug or something else

titius · May 20, 2008, 2:10pm

Hi, can you please help me, my head will explode , I cannot figure out a simple thing.

Here is the problem.

0   ;;; DOWN_ALL
     chain=prerouting in-interface=WAN action=mark-connection new-connection-mark=ALL_CONN_DOWN 
     passthrough=yes 

 1   chain=prerouting in-interface=WAN connection-mark=ALL_CONN_DOWN action=mark-packet 
     new-packet-mark=ALL_PACK_DOWN passthrough=yes 

 2   chain=prerouting in-interface=WAN connection-mark=ALL_CONN_DOWN action=mark-packet 
     new-packet-mark=REST_DOWN passthrough=no

A very very simple mangle, I know third rule is same as second, but between I have some packet and conn marks for HTTP, properly set with passthrough=no, every thing is counting properly.

For start I added queue tree GLOBAL-IN

0   name="DOWNLOAD" parent=global-in packet-mark=ALL_PACK_DOWN limit-at=0 queue=default 
     priority=8 max-limit=1400000 burst-limit=0 burst-threshold=0 burst-time=0s

This queue dont count ANY packet when last MANGLE is enabled (mangle 2 in this post ), when I disable MANGLE 2 everything is OK.

Why is that happening, the same situation is with complete mangle rules. All mangle rules properly count marked conns and packets.

The idea of the last mangle is to pickup all traffic that is not mangled before so I need that rule.

Very simple to someone but my head cant take it anymore .

mrz · May 20, 2008, 2:32pm

If you enable last rule then packet mark set in previous rule is overwritten from ALL_PACK_DOWN to REST_DOWN
But queue has packet-mark=ALL_PACK_DOWN

titius · May 20, 2008, 2:50pm

hm, so how can I then set all download packet mark to parent global-in?

If I disable last rule then I dont have rest of the connections marked

macgaiver · May 21, 2008, 12:24pm

DO you have all_CONN_UP connection mark? If yes, thats the problem!

Connections can’t be upload or download, usually they are bothdirectional (from conntrack point of view) so you must do

mark all connections
– if interface local - mark all upload packets
– if interface public - mark all download packets

titius · May 21, 2008, 9:57pm

I disabled ALL UP conn marks, whe I tried this. But Ill try your suggestion.

Connections are in both directions, but how can I mark upload and how to mark download ?

macgaiver · May 22, 2008, 6:09am

titius · May 22, 2008, 10:03am

thx, Im exhausted so couldnt see it .

tgrand · May 22, 2008, 12:52pm

Also Note that your rules did not work because

Your rule :
1 chain=prerouting in-interface=WAN connection-mark=ALL_CONN_DOWN action=mark-packet
new-packet-mark=ALL_PACK_DOWN passthrough=yes

Should have been set to passthrough=no

As a result of passing through it matched rule 2 and got remarked.

titius · May 22, 2008, 8:04pm

I have to pass conn mark so packet mark can work. On packet mark I set pass through=no so that marked traffic is not marked twice or more . . .

titius · May 25, 2008, 1:12am

Is there any difference in mangling traffic on MT that is doing NAT and on MT without NAT.

Is there ONE universal way of marking UPLOAD and DOWNLOAD ?

lastguru · May 25, 2008, 1:07pm

there is no difference, you just have to mind changing addresses, that’s all