Posted: Sat Jul 07, 2012 20:06 Post subject: layer7 protocol rules never match any packets
I am using DD-WRT v24-sp2 (03/19/12) std (SVN revision 18777) installed on a D-Link DIR-825 rev. B1 router. I've enabled QoS in the web GUI, and added a "Services Priority" entry for service name "ssh" with priority "Express".
Unfortunately, inspecting "/proc/net/ip_conntrack" on the router shows that this rule is not being applied. All SSH-related connections are listed with "mark=0". Running "iptables -t mangle -L -v" shows that the "FILTER_IN" and "FILTER_OUT" chains each have a rule added that ought to match the SSH protocol, but that the packet counts matched by these rules remain at 0:
Quote:
pkts bytes target prot opt in out source destination
...
0 0 MARK 0 -- any any anywhere anywhere LAYER7 l7proto ssh MARK set 0x14
I also notice a similar rule on the "FILTER_OUT" chain that ought to be matching DNS traffic. It too has a packet count of 0, showing that it never matched anything:
Quote:
pkts bytes target prot opt in out source destination
...
0 0 MARK 0 -- any any anywhere anywhere LAYER7 l7proto dns MARK set 0xe
As a sanity check, I used the web GUI to define my own service corresponding to any TCP on port 22. This resulted in two rules added to both the "FILTER_IN" and "FILTER_OUT" chains:
Quote:
pkts bytes target prot opt in out source destination
...
82 8429 MARK tcp -- any any anywhere anywhere tcp dpt:ssh MARK set 0x14
61 7097 MARK tcp -- any any anywhere anywhere tcp spt:ssh MARK set 0x14
Notice here that the packet counts (1st column) are nonzero, showing that these rules did match some packets. So the iptables "mangle" tables are being used, but it seems that the "LAYER7 l7proto" rules are just not matching anything, ever.
What's going wrong here? How can I debug this further? Any hints would be much appreciated.
Great, thank you! Can you give any more info, just to satisfy my curiosity (and impatience)? Is there a tracker bug for this? A commit I could look at? A suggested workaround in the meantime?