Re: [mpls-linux-general] BETA: mpls-linux 1.127

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Fri, Feb 01, 2002 at 06:08:05PM +0100, Olivier Dugeon wrote:
<snip>
> My trouble is that in the case of PRE_ROUTING nf_hook (ie. before the 
> packet is route) the dst field is not set for the packet. So, if you 
> would use the PRE_ROUTING netfilter hook, i think this scenario will 
> happen :
> 
>   - first packet arrive, dst field is null because no such flow raise 
> this Ingress node.
>   - PRE_ROUTING netfilter doesn't setup the mpls stuff because the dst 
> filed is null
>   - the packet continue its journey and get a dst field after calling 
> ip_route_input function. The skb->dst->output remain unchange to 
> ip_route_output, so this packet is process as usual and not labeled.
>   - second packet arrive, dst field is null, and the packet retrieve its 
> dst field from the route hash table.
> 
> In the case of PRE_ROUTING netfilter setup, (iptables -A INPUT) the 
> packets is never labeled.
> 
> If it's not a bug, it's preferable to avoid setting mpls-key with 
> iptable for the PRE_ROUTING nf_hook.

I had not planned on the MPLS target to be used with the PRE_ROUTING hook.

> Second trouble, and i think it's more serious. You can't make difference
> 
> for two flows with same IP src and dst address but with different port 
> src and/or dst number. PRE_ROUTING dosen't work, so 2 packets comming 
> from the same machine to the same machine get the same dst field :-(
> The ip_route_input function use IP src, dst address, input/output 
> interface number, tos fied and optionnaly fwmark. So, you can't make any 
> difference based on the source or destination port number or protocol.

So are you saying that if the MPLS target worked with PRE_ROUTING
this problem would be solved?

> Solution: I'll follow the PRE_ROUTING trak. I think it's possible to 
> setup the dst field in netfilter mpls hook. So,

Each MOI can potentially have a dst (as part of the SET info).  So
the the packets hitting PRE_ROUTING could use that, or a dst could be built,
that has the necessary info to redirect the packet to the MPLS layer.
Another option is to ship the packet into the MPLS layer form inside the
NF_HOOK, and return that is was dropped.

> 1/ we can make difference between packet based on all field header
> 2/ we skipp low routing process
> 
> What do you think about this ? I am wrong ?

I think it is good that you brought this up (support for port/protocol based
redirection).  Although I'm not sure how often it will be used.  MPLS isn't
meant for microflow TE.

Until we figure out a better way to do this, you could use a combination
of iptables (do nfmark or dsmark based on protocol/port, making sure the
aggregate route points out a mpls tunnel interface) and a nffwd or dsfwd
instruction on the MOI which is attached to the mpls tunnel interface.

Jim

> 
> 
> Regards,
> 
> 
> Olivier
> 
> PS. Your L2CC stuff seems very great.
> -- 
>   FTR&D/DAC/CPN
>   Technopole Anticipa     | mailto:Oli...@fr...
>   2, Avenue Pierre Marzin | Phone:  +(33) 2 96 05 28 80
>   F-22307 LANNION         | Fax:    +(33) 2 96 05 18 52

-- 
James R. Leu