Re: [mpls-linux-general] problems with classes and iptables
Status: Beta
Brought to you by:
jleu
Menu
▾
▴
Re: [mpls-linux-general] problems with classes and iptables
|
From: Anthony R. M. <to...@cy...> - 2008-04-23 12:48:55
|
Any packet modifications need to be done on the mangle table. Doing them on the forward chain will work, but PREROUTING, or POSTROUTING would probably be more effective. A friend of mine worked up a wonderful diagram on packet flow through the kernel. You can reference it here. (I think this is the newest version) http://imagestream.com/~josh/PacketFlow-new.png -Tony -- Anthony R. Mattke Senior Network Engineer CyberLink International 888.293.3693 x4353 to...@cy... luc...@li... wrote: > I tried to launch the same command on the mangle table, and it seems to work. > > [root@z10n ~]# iptables -t mangle -A FORWARD -s 172.16.30.0/24 -m dscp --dscp 26 -j mpls --nhlfe 0x02 > > [root@z10n ~]# iptables -L -t mangle > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > mpls all -- 172.16.30.0/24 anywhere DSCP match 0x1a nhlfe 0x2 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > > Now I'll try if it works, but it seems that the problem was putting the rule on the mangle table instead of the (default) filter table. > Thanks a lot, I'll keep you posted. > Luca > > > ---------- Initial Header ----------- > >>From : "James R. Leu" jl...@mi... > To : "luc...@li..." luc...@li... > Cc : "mpls-linux-general" mpl...@li... > Date : Tue, 22 Apr 2008 08:07:36 -0500 > Subject : Re: [mpls-linux-general] problems with classes and iptables > > > > > > > >> If I remember correctly the MPLS target should only be used >> in the POSTROUTE or OUTPUT chains, quite possibly only in the 'mangle' table. >> >> On Tue, Apr 22, 2008 at 11:08:40AM +0200, luc...@li... wrote: >>> Hello, >>> I'm trying to differentiate traffic flows in MPLS by marking DSCP field at the source and using scheduling strategies at the LER. >>> I tried to follow the mpls-linux labs for congestion, in which I found something similar to my case. >>> In that case the steps are: >>> 1- mapping DSCP on EXP bits of mpls header >>> 2- mapping EXP on the tcindex (scheduling strategy) >>> >>> In the script by Adrian Popa there are the following commands: >>> >>> var_best1=`mpls nhlfe add key 0 instructions ds2exp 0xf 0x1A 0x3 exp2tc 0x3 0x1 push gen 300 nexthop ath1 ipv4 10.0.5.3|grep key|cut -c 17-26` >>> >>> iptables -A FORWARD -s 172.16.30.0/24 -m dscp --dscp 26 -j mpls --nhlfe $var_best1 >>> >>> the iptables command answers to me: >>> iptables: Invalid argument >>> >>> I've attached also the result of the command: >>> strace iptables -A FORWARD -s 172.16.30.0/24 -m dscp --dscp 26 -j mpls --nhlfe 0x02 >>> >>> (0x02 is the previously generated key) >>> >>> I don't understand where's the problem: I've followed the example and it seems that the problem is in in the -j target of iptables... >>> Could you please help me? >>> >>> >>> Actually what I'd like to do is quite simpler: it would be enough to simply give a different mpls label to every class and then associate each label (flow) with a scheduling strategy, without marking exp bits...is it possible? >>> Thanks in advance, >>> Luca >>> >>> >>> execve("/sbin/iptables", ["iptables", "-A", "FORWARD", "-s", "172.16.30.0/24", "-m", "dscp", "--dscp", "26", "-j", "mpls", "--nhlfe", "0x02"], [/* 50 vars */]) = 0 >>> brk(0) = 0x9b60000 >>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) >>> open("/etc/ld.so.cache", O_RDONLY) = 3 >>> fstat64(3, {st_mode=S_IFREG|0644, st_size=85989, ...}) = 0 >>> mmap2(NULL, 85989, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fe2000 >>> close(3) = 0 >>> open("/lib/libdl.so.2", O_RDONLY) = 3 >>> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\252\207\0004\0\0\0"..., 512) = 512 >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=20564, ...}) = 0 >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fe1000 >>> mmap2(0x87a000, 16504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x87a000 >>> mmap2(0x87d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x87d000 >>> close(3) = 0 >>> open("/lib/libselinux.so.1", O_RDONLY) = 3 >>> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\32e\0004\0\0\0"..., 512) = 512 >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=105968, ...}) = 0 >>> mmap2(0x64e000, 109468, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x64e000 >>> mmap2(0x667000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18) = 0x667000 >>> close(3) = 0 >>> open("/lib/libc.so.6", O_RDONLY) = 3 >>> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360Ts\0004\0\0\0"..., 512) = 512 >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=1692524, ...}) = 0 >>> mmap2(0x71f000, 1410608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x71f000 >>> mmap2(0x872000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x153) = 0x872000 >>> mmap2(0x875000, 9776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x875000 >>> close(3) = 0 >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fe0000 >>> set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fe0710, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 >>> mprotect(0x87d000, 4096, PROT_READ) = 0 >>> mprotect(0x872000, 8192, PROT_READ) = 0 >>> mprotect(0x71b000, 4096, PROT_READ) = 0 >>> munmap(0xb7fe2000, 85989) = 0 >>> brk(0) = 0x9b60000 >>> brk(0x9b81000) = 0x9b81000 >>> open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 >>> fstat64(3, {st_mode=S_IFREG|0644, st_size=500, ...}) = 0 >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ff6000 >>> read(3, "\n# This file controls the state "..., 4096) = 500 >>> read(3, "", 4096) = 0 >>> close(3) = 0 >>> munmap(0xb7ff6000, 4096) = 0 >>> statfs64("/selinux", 84, {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=1749376, f_bfree=795907, f_bavail=795907, f_files=901120, f_ffree=772577, f_fsid={-179335734, -77216707}, f_namelen=255, f_frsize=4096}) = 0 >>> open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3 >>> fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ff6000 >>> read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 1024) = 560 >>> read(3, "", 1024) = 0 >>> close(3) = 0 >>> munmap(0xb7ff6000, 4096) = 0 >>> open("/lib/iptables/libipt_dscp.so", O_RDONLY) = 3 >>> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\6\0\0004\0\0\0"..., 512) = 512 >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=6064, ...}) = 0 >>> mmap2(NULL, 4728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x111000 >>> mmap2(0x112000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x112000 >>> close(3) = 0 >>> open("/lib/iptables/libipt_mpls.so", O_RDONLY) = 3 >>> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\4\0\0004\0\0\0"..., 512) = 512 >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=4256, ...}) = 0 >>> mmap2(NULL, 7016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x113000 >>> mmap2(0x114000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x114000 >>> close(3) = 0 >>> socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3 >>> getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0p\316<\320\0\0\0\0\0\0\0\0\0\0\0\0\360\344\354\331H\344\354\331"..., [84]) = 0 >>> getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [980]) = 0 >>> setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1228) = -1 EINVAL (Invalid argument) >>> write(2, "iptables: Invalid argument\n", 27iptables: Invalid argument >>> ) = 27 >>> exit_group(1) = ? >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference >>> Don't miss this year's exciting event. There's still time to save $100. >>> Use priority code J8TL2D2. >>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone >>> _______________________________________________ >>> mpls-linux-general mailing list >>> mpl...@li... >>> https://lists.sourceforge.net/lists/listinfo/mpls-linux-general >> >> -- >> James R. Leu >> jl...@mi... >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > mpls-linux-general mailing list > mpl...@li... > https://lists.sourceforge.net/lists/listinfo/mpls-linux-general |
