Re: [mpls-linux-devel] iptables filtering problem
Status: Beta
Brought to you by:
jleu
Menu
▾
▴
Re: [mpls-linux-devel] iptables filtering problem
|
From: James R. L. <jl...@mi...> - 2007-12-20 14:32:36
|
On Thu, Dec 20, 2007 at 03:23:05PM +0100, Tom Kleiberg wrote: > Hello all, >=20 > I have run into another problem with iptables. However, I am not fully = =20 > certain if it is related to the mpls implementation or possibly an =20 > iptables bug. The following is happening: >=20 > 1. I set up an explicit LSP using the mpls cli > 2. create a rule in the mangle table, POSTROUTING chain, where the =20 > target is the mpls key. Furthermore, I use a filter expression where I = =20 > filter on the protocol, source and destination ipaddress and =20 > portnumbers. > 3. Now, when I send packets from this node to the destination, and use = =20 > tcpdump to monitor the packets, I correctly see the MPLS packets =20 > appearing. >=20 > So far, so good. But when I use another portnumber or protocol to send = =20 > the packets (without changing the iptables rule), I STILL see MPLS =20 > packets. Moreover, when I remove the rule from the IPTABLES but not =20 > the LSP, I still see the MPLS packets. This is unwanted behavior, I =20 The issue you mention about removing the rule not stopping the flow on the LSP is a known issue. It is because iptables does not flush the route cache after removing rules. It's been awhile since I look at that issue. Can you try manually flushing the route cache after removing the iptables and see it that 'fixes' it? As for your other issue where other ports are being matched by the same iptables rule. I haven't heard of that before. Please give example commands so I can duplicate that one. > think. I have also tried sending packets at different portnumbers =20 > BEFORE sending any packet over the LSP, and then the behavior is as =20 > expected, namely that there are no MPLS packets created. That is because MPLS flushes the route cache when it removes NHLFE. > After the LSP is removed, the MPLS packets correctly disappear. >=20 > As I said earlier, I am not sure if it is an iptables problem, because = =20 > to test it, I require some other mangle target and sofar MPLS is the =20 > only I have up and running. Perhaps anybody can confirm this behavior? >=20 > I am using the 1.959 version of mpls linux together with FC6. >=20 > p.s. The problem also occurs for the OUTPUT chain. >=20 > Kind regards, >=20 > Tom > t.k...@gm... >=20 >=20 > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > mpls-linux-devel mailing list > mpl...@li... > https://lists.sourceforge.net/lists/listinfo/mpls-linux-devel --=20 James R. Leu jl...@mi... |
