Applying iptables fw rules failed when using MARK target

[nnes]

Hi all.
I want to limit bandwidth by using tc and iptables flowing: lartc.org/howto/lartc.cookboo...nat.intro.html
I use commands:

...
tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 192.168.68.0/24 flowid 1:1
tc filter add dev eth0 parent 1: protocol ip prio 1 handle 9 fw flowid 1:1
...

iptables -t nat -A POSTROUTING -s 192.168.68.0/24 -o eth0 -j SNAT --to-source 192.168.5.32
iptables -t mangle -A PREROUTING -p tcp -j MARK --set-mark 0x9

...

I try testing this system without iptables save, it works well.

Then, i save iptables, it's OK. But i restart iptables, it's failed

My iptables configuration:

# Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
*mangle
:PREROUTING ACCEPT [449:39586]
:INPUT ACCEPT [267:24250]
:FORWARD ACCEPT [3:234]
:OUTPUT ACCEPT [93:9734]
:POSTROUTING ACCEPT [96:9968]
[121:9364] -A PREROUTING -p tcp -j MARK --set-mark 0xffffffff00000009
COMMIT
# Completed on Fri May 20 09:38:45 2011
# Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
*nat
:PREROUTING ACCEPT [3478:297455]
:OUTPUT ACCEPT [3:213]
:POSTROUTING ACCEPT [0:0]
[36:2436] -A POSTROUTING -o eth0 -j MASQUERADE
[10:632] -A POSTROUTING -s 192.168.68.0/24 -o eth0 -p tcp -j SNAT --to-source 10.0.9.2:1024-2037
COMMIT
# Completed on Fri May 20 09:38:45 2011
# Generated by iptables-save v1.4.0 on Fri May 20 09:38:45 2011
*filter
:INPUT ACCEPT [25477:2154067]
:FORWARD ACCEPT [2710:455845]
:OUTPUT ACCEPT [18600:6343828]
COMMIT

restart iptables:

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 9 failed
[FAILED]

line 9 it contain COMMIT.
line 8 it contain:
-A PREROUTING -p tcp -j MARK --set-mark 0xffffffff00000009

i think there is the error in line 8. So, I delete line 8 in iptables file. Restart, it's OK, no error.
Of course, it can't mark packets and system can't run well as I expect.

What can i do to fix this error?

Thanks all.

PS: sr, my English is not OK.

[tdsan]

Hi all.
I want to limit bandwidth by using tc and iptables flowing: lartc.org/howto/lartc.cookboo...nat.intro.html
I use commands:


I try testing this system without iptables save, it works well.

Then, i save iptables, it's OK. But i restart iptables, it's failed

My iptables configuration:


restart iptables:


line 9 it contain COMMIT.
line 8 it contain:
-A PREROUTING -p tcp -j MARK --set-mark 0xffffffff00000009

i think there is the error in line 8. So, I delete line 8 in iptables file. Restart, it's OK, no error.
Of course, it can't mark packets and system can't run well as I expect.

What can i do to fix this error?

Thanks all.

PS: sr, my English is not OK.

===============

When I tried to run the command in line 9 it gives me this error:

iptables v1.4.10: MARK: Bad value for "--set-xmark/--set-mark" option: "0xffffffff00000009"

The decimal value for this number is 1844674409414584000, is there something in particular you are looking for, when I looked on the web for this number, it referred to malware

You might want to try the following:

iptables -t nat -A PREROUTING -p tcp -t mangle -m mark --mark 0x9

Because when I run this command

iptables -t nat -A PREROUTING -p tcp -t mangle -m mark --mark ffffffff00000009
iptables v1.4.10: mark: Bad value for "--mark" option: "ffffffff00000009"

It seems the value is a bad value, is there something else you can use or is there a reason why you need this value.

Please advise.

Todd