Re: [mpls-linux-devel] iptables filtering problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ok, here's some output:

First, I create the LSP. The show commands then give this (this all is  
only at the source node):

[root@london ~]# mpls nhlfe show;mpls ilm show;mpls xc show
NHLFE entry key 0x0000000d mtu 1496 propagate_ttl
	push gen 2001 set eth0 ipv4 10.0.0.2  (5953 bytes, 55 pkts)
[root@london ~]# iptables -t mangle -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1572K packets, 989M bytes)
  pkts bytes target     prot opt in     out     source                
destination
[root@london ~]#

then I install the iptables rule:

sudo /sbin/iptables -t mangle -A POSTROUTING -s 10.0.0.1 -d 10.0.0.10 - 
p udp --source-port 4001 --destination-port 4001 -j mpls --nhlfe 0xd

and I get following output:

[root@london ~]# iptables -t mangle -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1572K packets, 989M bytes)
  pkts bytes target     prot opt in     out     source                
destination
     0     0 mpls       udp  --  *      *       10.0.0.1              
10.0.0.10           udp spt:4001 dpt:4001 nhlfe 0xd

Then I generate trafffic with d-itg, source-port 4000, dest-port 4001

./ITGSend -a 10.0.0.10 -sp 4000 -rp 4001 -T udp -C 100 -c 100 -t 200

this tg may be less known, I know it functions correct. tcpdump now  
provides me:

[root@london ~]# tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol  
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:55:57.273472 IP 10.0.0.2 > 224.0.0.5: OSPFv2, Hello, length: 48
15:55:57.603225 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 64
15:55:57.603774 IP 10.0.0.10.cslistener > 10.0.0.1.49535: S  
1050046578:1050046578(0) ack 807773929 win 5792 <mss  
1460,sackOK,timestamp 19088753 91726072,nop,wscale 6>
15:55:57.603818 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 56
15:55:57.604142 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 57
15:55:57.604520 IP 10.0.0.10.cslistener > 10.0.0.1.49535: . ack 2 win  
91 <nop,nop,timestamp 19088753 91726073>
15:55:57.604772 IP 10.0.0.10.cslistener > 10.0.0.1.49535: P 1:2(1) ack  
2 win 91 <nop,nop,timestamp 19088753 91726073>
15:55:57.604791 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 56
15:55:57.605121 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 88
15:55:57.605770 IP 10.0.0.10.cslistener > 10.0.0.1.49535: P 2:7(5) ack  
34 win 91 <nop,nop,timestamp 19088755 91726074>
15:55:57.605793 IP 10.0.0.10.ssh > 10.0.0.1.59039: P  
3912795675:3912795739(64) ack 3675589473 win 202 <nop,nop,timestamp  
19088755 91641952>
15:55:57.605810 IP 10.0.0.1.59039 > 10.0.0.10.ssh: . ack 64 win 901  
<nop,nop,timestamp 91726074 19088755>
15:55:57.629558 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.639542 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.644828 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 56
15:55:57.649531 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.659535 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.669530 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.679529 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.689529 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.699528 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.709527 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.719529 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.729530 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.739529 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.749529 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.759529 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.769530 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.779530 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.789528 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.799528 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.809527 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.819528 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 132
15:55:57.829699 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 61
15:55:57.830388 IP 10.0.0.10.ssh > 10.0.0.1.59039: P 64:128(64) ack 1  
win 202 <nop,nop,timestamp 19088970 91726074>
15:55:57.830415 IP 10.0.0.1.59039 > 10.0.0.10.ssh: . ack 128 win 901  
<nop,nop,timestamp 91726299 19088970>
15:55:57.871862 IP 10.0.0.10.cslistener > 10.0.0.1.49535: . ack 39 win  
91 <nop,nop,timestamp 19089010 91726298>
15:55:58.636585 IP 10.0.0.1 > 224.0.0.5: OSPFv2, Hello, length: 48
15:55:58.830796 IP 10.0.0.10.cslistener > 10.0.0.1.49535: P 7:12(5)  
ack 39 win 91 <nop,nop,timestamp 19089932 91726298>
15:55:58.830837 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 56
15:55:58.830886 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 57
15:55:58.831542 IP 10.0.0.10.cslistener > 10.0.0.1.49535: . ack 40 win  
91 <nop,nop,timestamp 19089933 91727300>
15:55:58.831560 IP 10.0.0.10.cslistener > 10.0.0.1.49535: P 12:13(1)  
ack 40 win 91 <nop,nop,timestamp 19089933 91727300>
15:55:58.831570 IP 10.0.0.10.cslistener > 10.0.0.1.49535: F 13:13(0)  
ack 40 win 91 <nop,nop,timestamp 19089933 91727300>
15:55:58.831612 MPLS (label 2001, exp 0, [S], ttl 64), IP, length: 56
15:55:58.832043 IP 10.0.0.10.cslistener > 10.0.0.1.49535: . ack 41 win  
91 <nop,nop,timestamp 19089933 91727301>
15:56:02.602053 arp who-has 10.0.0.1 tell 10.0.0.2
15:56:02.602068 arp reply 10.0.0.1 is-at 00:08:74:ad:25:01
15:56:07.274025 IP 10.0.0.2 > 224.0.0.5: OSPFv2, Hello, length: 48
15:56:08.637429 IP 10.0.0.1 > 224.0.0.5: OSPFv2, Hello, length: 48
15:56:17.274825 IP 10.0.0.2 > 224.0.0.5: OSPFv2, Hello, length: 48
15:56:18.638299 IP 10.0.0.1 > 224.0.0.5: OSPFv2, Hello, length: 48

56 packets captured
112 packets received by filter
0 packets dropped by kernel
[root@london ~]#

and iptables:

[root@london ~]# iptables -t mangle -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1572K packets, 989M bytes)
  pkts bytes target     prot opt in     out     source                
destination
     0     0 mpls       udp  --  *      *       10.0.0.1              
10.0.0.10           udp spt:4001 dpt:4001 nhlfe 0xd
[root@london ~]#

So, we can see that te packet counters have not increased in iptables,  
yet the packets are ''mapped'' on the nhlfe target.
I hope this helps.

Kind regards,

Tom