活动

天翼云最新优惠活动,涵盖免费试用,产品折扣等,助您降本增效!
热门活动
免费活动
  • 活动
  • 产品
  • 解决方案
  • 应用商城
  • 合作伙伴
  • 开发者
  • 算力套餐
  • 支持与服务
  • 了解天翼云
searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

iptables MARK CONNMAK使用

NAT网关天翼云桌面天翼云电脑
2023-05-29 09:00:05
65
0
 
有两个mark :
一个是nfmark在skb中 
一个是ctmark在连接跟踪nf_conn中
 
skb->mark
 
struct nf_conn {
    /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
           plus 1 for any connection(s) we are `master' for */
    struct nf_conntrack ct_general;
 
    spinlock_t lock;
 
    /* XXX should I move this to the tail ? - Y.K */
    /* These are my tuples; original and reply */
    struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
 
    /* Have we seen traffic both ways yet? (bitset) */
    unsigned long status;
 
    /* If we were expected by an expectation, this will be it */
    struct nf_conn *master;
 
    /* Timer function; drops refcnt when it goes off. */
    struct timer_list timeout;
 
#if defined(CONFIG_NF_CONNTRACK_MARK)
    u_int32_t mark;
#endif
 
 
 
-j MARK
 
MARK target options:
  --set-xmark value[/mask]  Clear bits in mask and XOR value into nfmark
  --set-mark value[/mask]   Clear bits in mask and OR value into nfmark
  --and-mark bits           Binary AND the nfmark with bits
  --or-mark bits            Binary OR the nfmark with bits
  --xor-mask bits           Binary XOR the nfmark with bits
  
--and-mark bits
Binary AND the nfmark with bits. (Mnemonic for --set-xmark 0/invbits, where invbits is the binary negation of bits.)
--or-mark bits
Binary OR the nfmark with bits. (Mnemonic for --set-xmark bits/bits.)
--xor-mark bits
Binary XOR the nfmark with bits. (Mnemonic for --set-xmark bits/0.)  
 
 
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x10002000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x30004000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
  
(1)--set-xmark value[/mask] 解释
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x10002000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x30004000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
如果不写mask,那么默认mask = 0xffffffff
 
[ 4154.859794]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4314 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x10002000
[ 4154.859928]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4314 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x30004000
 
 
 
有掩码的情况
demo2
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x56780000/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
[ 4207.143778]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4378 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x1234
[ 4207.145230]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4378 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x56781234
 
 
demo3
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x5678/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
 
分析--set-xmark 0x1234/0xffff
mark = 0
Clear bits in mask :mark的低16位清零, mark = 0
xOR value into nfmark:0x1234 xor mark --》 mark = 0x1234
 
分析--set-xmark 0x5678/0xffff0000
mark = 0x1234
Clear bits in mask :mark的hi 16位清零, mark = 0x1234
xOR value into nfmark:0x5678 xor mark --》 mark = 0x5678 xor 0x1234 = 0x444c
 
log
[ 4261.102222]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4415 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16434 RES=0x00 ACK PSH URGP=0 MARK=0x1234
[ 4261.102347]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4415 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16434 RES=0x00 ACK PSH URGP=0 MARK=0x444c
 
 
demo4
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x56780000/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
[ 4619.198616]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4495 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16584 RES=0x00 ACK PSH URGP=0 MARK=0x1234
IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4495 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16584 RES=0x00 ACK PSH URGP=0 MARK=0x56781234
 
1 容易混淆的地方、易错的地方:
--set-xmark 0x800000/0xffff0000 很容易写成--set-xmark 0x80/0xffff0000 。
如果0x800000写成0x80 那么是达不到目的的 :nfmark xor 0x80 --》 0x70 xor 0x80 = 0xF0
 
2 另外,看到没有,命中了MARK目标以后还是会继续往下走,如果条件满足了还是会继续命中下一个MARK
 
(2)--set-mark value[/mask]解释
MARK匹配上以后还是继续往下走
 
下面的规则,先匹配mark是0x10002000,然后继续往下又匹配上了,素有mark被覆盖了,变成0x30004000
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x10002000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x30004000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
如果不写mask,那么默认mask = 0xffffffff
 
[11847759.009937]  11111 IN=eno1 OUT= MAC=3c:7c:3f:f0:b0:32:3c:c7:86:39:df:2e:08:00 SRC=192.168.117.30 DST=192.168.89.242 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=6685 DF PROTO=TCP SPT=55282 DPT=22 WINDOW=599 RES=0x00 ACK URGP=0 MARK=0x10002000
[11847759.009943]  22222 IN=eno1 OUT= MAC=3c:7c:3f:f0:b0:32:3c:c7:86:39:df:2e:08:00 SRC=192.168.117.30 DST=192.168.89.242 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=6685 DF PROTO=TCP SPT=55282 DPT=22 WINDOW=599 RES=0x00 ACK URGP=0 MARK=0x30004000
 
有掩码的情况
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x56780000/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
分析--set-mark 0x1234/0xffff
Clear bits in mask and OR value into nfmark
mark = 0
 
Clear bits in mask :
mark的低16位清零, mark = 0
 
OR value into nfmark
把0x1234 or mark --》 mark = 0x1234
 
分析--set-mark 0x56780000/0xffff0000
mark = 0x1234
 
Clear bits in mask :
mark的高16位清零, mark = 0x1234
 
OR value into nfmark
mark = 0x56780000 or 0x1234 = 0x56781234
 
dmesg看到的log
[ 2896.314457]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4113 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16309 RES=0x00 ACK URGP=0 MARK=0x1234
[ 2896.314659]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4113 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16309 RES=0x00 ACK URGP=0 MARK=0x56781234
 
 
主要,如果0x56780000/0xffff0000 --》0x5678/0xffff0000
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x5678/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
分析--set-mark 0x1234/0xffff
Clear bits in mask and OR value into nfmark
mark = 0
 
Clear bits in mask :
mark的低16位清零, mark = 0
 
OR value into nfmark
把0x1234 or mark --》 mark = 0x1234
 
分析--set-mark 0x5678/0xffff0000
mark = 0x1234
 
Clear bits in mask :
mark的高16位清零, mark = 0x1234
 
OR value into nfmark
mark = 0x5678 or 0x1234 = 0x567C
 
dmesg看到的log
[ 2942.927569]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4171 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16310 RES=0x00 ACK PSH URGP=0 MARK=0x1234
[ 2942.927753]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4171 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16310 RES=0x00 ACK PSH URGP=0 MARK=0x567c
 
 
 
 
(3)-m mark
mark match options:
[!] --mark value[/mask]    Match nfmark value with optional mask
 
如果不填mask 默认就是0xffffffff
 
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x1234/0xffff #1
iptables -t mangle -A PREROUTING -m mark --mark 0x1234 -j LOG --log-prefix " 11111 " #2
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x56780000/0xffff0000 #3
iptables -t mangle -A PREROUTING -m mark --mark 0x1234  -j LOG --log-prefix " 22222 " #4
 
只会有11111的日志
 
分析
命中#1 之后,mark = 0x1234
 
#2
mark & mask = 0x1234 & 0xffffffff = 0x1234
 
#3 ,mark = 0x56781234
 
#4 -m mark不会命中
mark & mask = 0x56781234 & 0xffffffff = 0x56781234
 
 

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

0条评论
作者已关闭评论
阿莫西林的杂货铺
12文章数
0粉丝数
阿莫西林的杂货铺
12 文章 | 0 粉丝
Ta的热门文章查看更多
非常隐蔽的Shell脚本bug:字符串比较中的空格问题sed -i 破坏文件软连接开启rp_filer导致路由策略不通——内核源码分析iptables MARK CONNMAK使用Linux namespace bug导致上不了网问题排查过程
阿莫西林的杂货铺
12文章数
0粉丝数
阿莫西林的杂货铺
12 文章 | 0 粉丝
原创

iptables MARK CONNMAK使用

NAT网关天翼云桌面天翼云电脑
2023-05-29 09:00:05
65
0
 
有两个mark :
一个是nfmark在skb中 
一个是ctmark在连接跟踪nf_conn中
 
skb->mark
 
struct nf_conn {
    /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
           plus 1 for any connection(s) we are `master' for */
    struct nf_conntrack ct_general;
 
    spinlock_t lock;
 
    /* XXX should I move this to the tail ? - Y.K */
    /* These are my tuples; original and reply */
    struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
 
    /* Have we seen traffic both ways yet? (bitset) */
    unsigned long status;
 
    /* If we were expected by an expectation, this will be it */
    struct nf_conn *master;
 
    /* Timer function; drops refcnt when it goes off. */
    struct timer_list timeout;
 
#if defined(CONFIG_NF_CONNTRACK_MARK)
    u_int32_t mark;
#endif
 
 
 
-j MARK
 
MARK target options:
  --set-xmark value[/mask]  Clear bits in mask and XOR value into nfmark
  --set-mark value[/mask]   Clear bits in mask and OR value into nfmark
  --and-mark bits           Binary AND the nfmark with bits
  --or-mark bits            Binary OR the nfmark with bits
  --xor-mask bits           Binary XOR the nfmark with bits
  
--and-mark bits
Binary AND the nfmark with bits. (Mnemonic for --set-xmark 0/invbits, where invbits is the binary negation of bits.)
--or-mark bits
Binary OR the nfmark with bits. (Mnemonic for --set-xmark bits/bits.)
--xor-mark bits
Binary XOR the nfmark with bits. (Mnemonic for --set-xmark bits/0.)  
 
 
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x10002000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x30004000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
  
(1)--set-xmark value[/mask] 解释
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x10002000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x30004000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
如果不写mask,那么默认mask = 0xffffffff
 
[ 4154.859794]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4314 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x10002000
[ 4154.859928]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4314 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x30004000
 
 
 
有掩码的情况
demo2
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x56780000/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
[ 4207.143778]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4378 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x1234
[ 4207.145230]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4378 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16358 RES=0x00 ACK PSH URGP=0 MARK=0x56781234
 
 
demo3
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x5678/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
 
分析--set-xmark 0x1234/0xffff
mark = 0
Clear bits in mask :mark的低16位清零, mark = 0
xOR value into nfmark:0x1234 xor mark --》 mark = 0x1234
 
分析--set-xmark 0x5678/0xffff0000
mark = 0x1234
Clear bits in mask :mark的hi 16位清零, mark = 0x1234
xOR value into nfmark:0x5678 xor mark --》 mark = 0x5678 xor 0x1234 = 0x444c
 
log
[ 4261.102222]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4415 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16434 RES=0x00 ACK PSH URGP=0 MARK=0x1234
[ 4261.102347]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4415 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16434 RES=0x00 ACK PSH URGP=0 MARK=0x444c
 
 
demo4
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-xmark 0x56780000/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
[ 4619.198616]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4495 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16584 RES=0x00 ACK PSH URGP=0 MARK=0x1234
IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4495 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16584 RES=0x00 ACK PSH URGP=0 MARK=0x56781234
 
1 容易混淆的地方、易错的地方:
--set-xmark 0x800000/0xffff0000 很容易写成--set-xmark 0x80/0xffff0000 。
如果0x800000写成0x80 那么是达不到目的的 :nfmark xor 0x80 --》 0x70 xor 0x80 = 0xF0
 
2 另外,看到没有,命中了MARK目标以后还是会继续往下走,如果条件满足了还是会继续命中下一个MARK
 
(2)--set-mark value[/mask]解释
MARK匹配上以后还是继续往下走
 
下面的规则,先匹配mark是0x10002000,然后继续往下又匹配上了,素有mark被覆盖了,变成0x30004000
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x10002000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x30004000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
如果不写mask,那么默认mask = 0xffffffff
 
[11847759.009937]  11111 IN=eno1 OUT= MAC=3c:7c:3f:f0:b0:32:3c:c7:86:39:df:2e:08:00 SRC=192.168.117.30 DST=192.168.89.242 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=6685 DF PROTO=TCP SPT=55282 DPT=22 WINDOW=599 RES=0x00 ACK URGP=0 MARK=0x10002000
[11847759.009943]  22222 IN=eno1 OUT= MAC=3c:7c:3f:f0:b0:32:3c:c7:86:39:df:2e:08:00 SRC=192.168.117.30 DST=192.168.89.242 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=6685 DF PROTO=TCP SPT=55282 DPT=22 WINDOW=599 RES=0x00 ACK URGP=0 MARK=0x30004000
 
有掩码的情况
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x56780000/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
分析--set-mark 0x1234/0xffff
Clear bits in mask and OR value into nfmark
mark = 0
 
Clear bits in mask :
mark的低16位清零, mark = 0
 
OR value into nfmark
把0x1234 or mark --》 mark = 0x1234
 
分析--set-mark 0x56780000/0xffff0000
mark = 0x1234
 
Clear bits in mask :
mark的高16位清零, mark = 0x1234
 
OR value into nfmark
mark = 0x56780000 or 0x1234 = 0x56781234
 
dmesg看到的log
[ 2896.314457]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4113 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16309 RES=0x00 ACK URGP=0 MARK=0x1234
[ 2896.314659]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4113 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16309 RES=0x00 ACK URGP=0 MARK=0x56781234
 
 
主要,如果0x56780000/0xffff0000 --》0x5678/0xffff0000
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x1234/0xffff
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 11111 "
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x5678/0xffff0000
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix " 22222 "
 
分析--set-mark 0x1234/0xffff
Clear bits in mask and OR value into nfmark
mark = 0
 
Clear bits in mask :
mark的低16位清零, mark = 0
 
OR value into nfmark
把0x1234 or mark --》 mark = 0x1234
 
分析--set-mark 0x5678/0xffff0000
mark = 0x1234
 
Clear bits in mask :
mark的高16位清零, mark = 0x1234
 
OR value into nfmark
mark = 0x5678 or 0x1234 = 0x567C
 
dmesg看到的log
[ 2942.927569]  11111 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4171 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16310 RES=0x00 ACK PSH URGP=0 MARK=0x1234
[ 2942.927753]  22222 IN=ens33 OUT= MAC=00:0c:29:d8:08:72:00:50:56:c0:00:08:08:00 SRC=192.168.72.1 DST=192.168.72.134 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=4171 DF PROTO=TCP SPT=50351 DPT=22 WINDOW=16310 RES=0x00 ACK PSH URGP=0 MARK=0x567c
 
 
 
 
(3)-m mark
mark match options:
[!] --mark value[/mask]    Match nfmark value with optional mask
 
如果不填mask 默认就是0xffffffff
 
iptables -t mangle -F
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x1234/0xffff #1
iptables -t mangle -A PREROUTING -m mark --mark 0x1234 -j LOG --log-prefix " 11111 " #2
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x56780000/0xffff0000 #3
iptables -t mangle -A PREROUTING -m mark --mark 0x1234  -j LOG --log-prefix " 22222 " #4
 
只会有11111的日志
 
分析
命中#1 之后,mark = 0x1234
 
#2
mark & mask = 0x1234 & 0xffffffff = 0x1234
 
#3 ,mark = 0x56781234
 
#4 -m mark不会命中
mark & mask = 0x56781234 & 0xffffffff = 0x56781234
 
 

版权声明:本文内容系天翼云实名用户自发贡献,版权归原作者所有,天翼云开发者社区不拥有其著作权,亦不承担相应法律责任,未经许可,不得转载。

如有疑问或争议,请联系ctyunbbs@chinatelecom.cn删除。

文章来自个人专栏
网络疑难杂症
12 文章 | 1 订阅
0条评论
作者已关闭评论
作者已关闭评论
0
0
售前咨询热线
400-810-9889转1
关注天翼云
  • 天翼云微信公众号
  • APP
    天翼云APP
服务与支持
账户管理
快速入口
云网生态
了解天翼云
热门产品
热门推荐
更多推荐
友情链接
©2024 天翼云科技有限公司版权所有 增值电信业务经营许可证A2.B1.B2-20090001
公司地址:北京市东城区青龙胡同甲1号、3号2幢2层205-32室
备案京公网安备11010802043424号京ICP备 2021034386号