Re: [mpls-linux-general] problems with classes and iptables
Status: Beta
Brought to you by:
jleu
Menu
▾
▴
Re: [mpls-linux-general] problems with classes and iptables
|
From: Adrian P. <adr...@gm...> - 2008-04-23 13:07:47
|
Superb diagram... I'm ordering a poster of it to hang it over my bed :) On Wed, Apr 23, 2008 at 3:50 PM, Anthony R. Mattke <to...@cy...> wrote: > Any packet modifications need to be done on the mangle table. Doing them > on the forward chain will work, but PREROUTING, or POSTROUTING would > probably be more effective. > > A friend of mine worked up a wonderful diagram on packet flow through > the kernel. You can reference it here. (I think this is the newest > version) > > http://imagestream.com/~josh/PacketFlow-new.png > > -Tony > > -- > > Anthony R. Mattke > Senior Network Engineer > CyberLink International > 888.293.3693 x4353 > to...@cy... > > > luc...@li... wrote: > > I tried to launch the same command on the mangle table, and it seems to > work. > > > > [root@z10n ~]# iptables -t mangle -A FORWARD -s 172.16.30.0/24 -m dscp > --dscp 26 -j mpls --nhlfe 0x02 > > > > [root@z10n ~]# iptables -L -t mangle > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > mpls all -- 172.16.30.0/24 anywhere DSCP match > 0x1a nhlfe 0x2 > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > > > > > Now I'll try if it works, but it seems that the problem was putting the > rule on the mangle table instead of the (default) filter table. > > Thanks a lot, I'll keep you posted. > > Luca > > > > > > ---------- Initial Header ----------- > > > >>From : "James R. Leu" jl...@mi... > > To : "luc...@li..." luc...@li... > > Cc : "mpls-linux-general" > mpl...@li... > > Date : Tue, 22 Apr 2008 08:07:36 -0500 > > Subject : Re: [mpls-linux-general] problems with classes and iptables > > > > > > > > > > > > > > > >> If I remember correctly the MPLS target should only be used > >> in the POSTROUTE or OUTPUT chains, quite possibly only in the 'mangle' > table. > >> > >> On Tue, Apr 22, 2008 at 11:08:40AM +0200, luc...@li... wrote: > >>> Hello, > >>> I'm trying to differentiate traffic flows in MPLS by marking DSCP > field at the source and using scheduling strategies at the LER. > >>> I tried to follow the mpls-linux labs for congestion, in which I found > something similar to my case. > >>> In that case the steps are: > >>> 1- mapping DSCP on EXP bits of mpls header > >>> 2- mapping EXP on the tcindex (scheduling strategy) > >>> > >>> In the script by Adrian Popa there are the following commands: > >>> > >>> var_best1=`mpls nhlfe add key 0 instructions ds2exp 0xf 0x1A 0x3 > exp2tc 0x3 0x1 push gen 300 nexthop ath1 ipv4 10.0.5.3|grep key|cut -c > 17-26` > >>> > >>> iptables -A FORWARD -s 172.16.30.0/24 -m dscp --dscp 26 -j mpls > --nhlfe $var_best1 > >>> > >>> the iptables command answers to me: > >>> iptables: Invalid argument > >>> > >>> I've attached also the result of the command: > >>> strace iptables -A FORWARD -s 172.16.30.0/24 -m dscp --dscp 26 -j mpls > --nhlfe 0x02 > >>> > >>> (0x02 is the previously generated key) > >>> > >>> I don't understand where's the problem: I've followed the example and > it seems that the problem is in in the -j target of iptables... > >>> Could you please help me? > >>> > >>> > >>> Actually what I'd like to do is quite simpler: it would be enough to > simply give a different mpls label to every class and then associate each > label (flow) with a scheduling strategy, without marking exp bits...is it > possible? > >>> Thanks in advance, > >>> Luca > >>> > >>> > >>> execve("/sbin/iptables", ["iptables", "-A", "FORWARD", "-s", " > 172.16.30.0/24", "-m", "dscp", "--dscp", "26", "-j", "mpls", "--nhlfe", > "0x02"], [/* 50 vars */]) = 0 > >>> brk(0) = 0x9b60000 > >>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > directory) > >>> open("/etc/ld.so.cache", O_RDONLY) = 3 > >>> fstat64(3, {st_mode=S_IFREG|0644, st_size=85989, ...}) = 0 > >>> mmap2(NULL, 85989, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fe2000 > >>> close(3) = 0 > >>> open("/lib/libdl.so.2", O_RDONLY) = 3 > >>> read(3, > "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\252\207\0004\0\0\0"..., > 512) = 512 > >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=20564, ...}) = 0 > >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7fe1000 > >>> mmap2(0x87a000, 16504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, > 3, 0) = 0x87a000 > >>> mmap2(0x87d000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x87d000 > >>> close(3) = 0 > >>> open("/lib/libselinux.so.1", O_RDONLY) = 3 > >>> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\32e\0004\0\0\0"..., > 512) = 512 > >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=105968, ...}) = 0 > >>> mmap2(0x64e000, 109468, PROT_READ|PROT_EXEC, > MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x64e000 > >>> mmap2(0x667000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18) = 0x667000 > >>> close(3) = 0 > >>> open("/lib/libc.so.6", O_RDONLY) = 3 > >>> read(3, > "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360Ts\0004\0\0\0"..., 512) > = 512 > >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=1692524, ...}) = 0 > >>> mmap2(0x71f000, 1410608, PROT_READ|PROT_EXEC, > MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x71f000 > >>> mmap2(0x872000, 12288, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x153) = 0x872000 > >>> mmap2(0x875000, 9776, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x875000 > >>> close(3) = 0 > >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7fe0000 > >>> set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fe0710, > limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, > seg_not_present:0, useable:1}) = 0 > >>> mprotect(0x87d000, 4096, PROT_READ) = 0 > >>> mprotect(0x872000, 8192, PROT_READ) = 0 > >>> mprotect(0x71b000, 4096, PROT_READ) = 0 > >>> munmap(0xb7fe2000, 85989) = 0 > >>> brk(0) = 0x9b60000 > >>> brk(0x9b81000) = 0x9b81000 > >>> open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 > >>> fstat64(3, {st_mode=S_IFREG|0644, st_size=500, ...}) = 0 > >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7ff6000 > >>> read(3, "\n# This file controls the state "..., 4096) = 500 > >>> read(3, "", 4096) = 0 > >>> close(3) = 0 > >>> munmap(0xb7ff6000, 4096) = 0 > >>> statfs64("/selinux", 84, {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, > f_blocks=1749376, f_bfree=795907, f_bavail=795907, f_files=901120, > f_ffree=772577, f_fsid={-179335734, -77216707}, f_namelen=255, > f_frsize=4096}) = 0 > >>> open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3 > >>> fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 > >>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7ff6000 > >>> read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 1024) = 560 > >>> read(3, "", 1024) = 0 > >>> close(3) = 0 > >>> munmap(0xb7ff6000, 4096) = 0 > >>> open("/lib/iptables/libipt_dscp.so", O_RDONLY) = 3 > >>> read(3, > "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\6\0\0004\0\0\0"..., 512) = > 512 > >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=6064, ...}) = 0 > >>> mmap2(NULL, 4728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, > 0) = 0x111000 > >>> mmap2(0x112000, 4096, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x112000 > >>> close(3) = 0 > >>> open("/lib/iptables/libipt_mpls.so", O_RDONLY) = 3 > >>> read(3, > "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\4\0\0004\0\0\0"..., > 512) = 512 > >>> fstat64(3, {st_mode=S_IFREG|0755, st_size=4256, ...}) = 0 > >>> mmap2(NULL, 7016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, > 0) = 0x113000 > >>> mmap2(0x114000, 4096, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x114000 > >>> close(3) = 0 > >>> socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3 > >>> getsockopt(3, SOL_IP, 0x40 /* IP_??? */, > "filter\0\0p\316<\320\0\0\0\0\0\0\0\0\0\0\0\0\360\344\354\331H\344\354\331"..., > [84]) = 0 > >>> getsockopt(3, SOL_IP, 0x41 /* IP_??? */, > "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [980]) = 0 > >>> setsockopt(3, SOL_IP, 0x40 /* IP_??? */, > "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1228) = -1 > EINVAL (Invalid argument) > >>> write(2, "iptables: Invalid argument\n", 27iptables: Invalid argument > >>> ) = 27 > >>> exit_group(1) = ? > >>> > >>> > ------------------------------------------------------------------------- > >>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > >>> Don't miss this year's exciting event. There's still time to save > $100. > >>> Use priority code J8TL2D2. > >>> > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > >>> _______________________________________________ > >>> mpls-linux-general mailing list > >>> mpl...@li... > >>> https://lists.sourceforge.net/lists/listinfo/mpls-linux-general > >> > >> -- > >> James R. Leu > >> jl...@mi... > >> > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save $100. > > Use priority code J8TL2D2. > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > > mpls-linux-general mailing list > > mpl...@li... > > https://lists.sourceforge.net/lists/listinfo/mpls-linux-general > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > mpls-linux-general mailing list > mpl...@li... > https://lists.sourceforge.net/lists/listinfo/mpls-linux-general > |
