Magic Connmark

Netfilter
----------

RAW table:
----------
Chain PREROUTING (policy ACCEPT 14754 packets, 13M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        1    40 TRACE      all  --  vlan99 *       10.1.99.0/24         10.11.12.0/24
2        1    40 CT         all  --  vlan99 *       10.1.99.0/24         10.11.12.0/24       ADDRTYPE match dst-type !LOCAL CT notrack

-A PREROUTING -s 10.1.99.0/24 -d 10.11.12.0/24 -i vlan99 -j TRACE
-A PREROUTING -s 10.1.99.0/24 -d 10.11.12.0/24 -i vlan99 -m addrtype ! --dst-type LOCAL -j CT --notrack

MANGLE Table:
-------------

Chain PREROUTING (policy ACCEPT 2987K packets, 3344M bytes)
num   pkts bytes target     prot opt in     out     source               destination

29       0     0 CONNMARK   tcp  --  eth1   *       65.114.94.226        205.215.64.40       tcp dpt:8443 ! match-set rtr_rfc1918_net dst CONNMARK set 0x2
30       1    40 MARK       all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0           connmark match 0x2 MARK set 0x65
31       1    40 ACCEPT     all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0           connmark match 0x2

-A RTR_PRE -s 65.114.94.226/32 -d 205.215.64.40/32 -i eth1 -p tcp -m tcp --dport 8443 -m set ! --match-set rtr_rfc1918_net dst -j CONNMARK --set-xmark 0x2/0xffffffff
-A RTR_PRE -i vlan99 -m connmark --mark 0x2 -j MARK --set-xmark 0x65/0xffffffff
-A RTR_PRE -i vlan99 -m connmark --mark 0x2 -j ACCEPT

NAT Table:
----------

Chain PREROUTING (policy ACCEPT 47102 packets, 4112K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           connmark match 0x2 to:10.1.99.10:8443

-A PREROUTING -p tcp -m connmark --mark 0x2 -j DNAT --to-destination 10.1.99.10:8443

Problem machine specifics:
--------------------------
Linux 3.2.24
IPset 6.13
IPTables 1.4.8
Conntrackd 0.9.14
iproute 20120105

All logs taken while generating a single TCP SYN packet on a remote machine destin to vlan99 interface on broken target:
sendip -v -p ipv4 -p tcp -is 10.1.99.11 -id 10.11.12.25 -ts 12345 -td 443 10.1.99.2

TRACE OUTPUT: (with connmark_trace.patch applied)
-------------

Aug  8 15:02:51 rtr1 kernel: [92859.376260] TRACE: raw:PREROUTING:rule:2 IN=vlan99 OUT= MAC=00:25:90:51:d5:0c:00:16:3e:01:07:f1:08:00 SRC=10.1.99.11 DST=10.11.12.25 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=38583 PROTO=TCP SPT=12345 DPT=443 SEQ
=2197736709 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
Aug  8 15:02:51 rtr1 kernel: [92859.421921] TRACE: raw:PREROUTING:rule:3 IN=vlan99 OUT= MAC=00:25:90:51:d5:0c:00:16:3e:01:07:f1:08:00 SRC=10.1.99.11 DST=10.11.12.25 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=38583 PROTO=TCP SPT=12345 DPT=443 SEQ
=2197736709 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 CONNMARK=0x2/0x2
Aug  8 15:02:51 rtr1 kernel: [92860.104887] TRACE: raw:PREROUTING:policy:4 IN=vlan99 OUT= MAC=00:25:90:51:d5:0c:00:16:3e:01:07:f1:08:00 SRC=10.1.99.11 DST=10.11.12.25 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=38583 PROTO=TCP SPT=12345 DPT=443 SEQ=2197736709 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 CONNMARK=0x2/0x2
Aug  8 15:02:51 rtr1 kernel: [92860.158996] TRACE: mangle:PREROUTING:rule:1 IN=vlan99 OUT= MAC=00:25:90:51:d5:0c:00:16:3e:01:07:f1:08:00 SRC=10.1.99.11 DST=10.11.12.25 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=38583 PROTO=TCP SPT=12345 DPT=443 SEQ=2197736709 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 CONNMARK=0x2/0x2