RE: Problem with Netfilter (Packet Marking) and ip util

[jamal <hadi@cyberus.ca>]

On Thu, 31 Aug 2000, Jonathan Earle wrote:

> Essentially, I am splitting one incoming UDP packet stream into two outbound
> MPLS streams.  The mechanism to split the stream looks at desination ports
> (using the iptables packet marking facility) and marks packets based on
> ranges of ports.  The ip tool is then used to build routing tables based on
> those marks, and the (patched) mplsadm (according to my understanding;
> perhaps my phrasing could be corrected) builds LSPs using those new routing
> tables as a packet source.
> 
> That all works just fine, as long as the mark given by iptables is < 10.  If
> the mark is >= 10, nothing happens.  I tried it today with just plain IP
> routing and the same thing happens.
> 

I didnt know about this code. It seems to be replicating some of the
functionality of the LER policing already existing in James Leu's code.
I could be wrong. So i dont have an answer for you.

> > > 1.  What purpose would a mark on a packet serve?  Why would 
> > people do this?
> > 
> > to uniquely put an "internal to linux" tag that would be used 
> > to for some
> > purpose.
> 
> The original question remains - why?  If I know *why* would someone do it, I
> can perhaps conduct a test using that function/ability to verify whether the
> mark is being properly placed or not.
> 
> > Turn on netfilter debugging.
> 
> Just did that, and I see nothing via dmesg or the messages file.  The
> iptables manpage didn't contain a reference to 'debug'.  What else do I need
> to do to see output from netfilter debugging?
> 

Netfilter debugging prints a lot of crap, there is no wat you can
miss that noise. Turn it on via compile options.

cheers,
jamal