Re: [mpls-linux-general] BETA: mpls-linux 1.127

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

James R. Leu wrote:

> On Fri, Feb 01, 2002 at 06:08:05PM +0100, Olivier Dugeon wrote:
> <snip>
>  > My trouble is that in the case of PRE_ROUTING nf_hook (ie. before the
>  > packet is route) the dst field is not set for the packet. So, if you
>  > would use the PRE_ROUTING netfilter hook, i think this scenario will
>  > happen :
>  >
>  >   - first packet arrive, dst field is null because no such flow raise
>  > this Ingress node.
>  >   - PRE_ROUTING netfilter doesn't setup the mpls stuff because the dst
>  > filed is null
>  >   - the packet continue its journey and get a dst field after calling
>  > ip_route_input function. The skb->dst->output remain unchange to
>  > ip_route_output, so this packet is process as usual and not labeled.
>  >   - second packet arrive, dst field is null, and the packet retrieve its
>  > dst field from the route hash table.
>  >
>  > In the case of PRE_ROUTING netfilter setup, (iptables -A INPUT) the
>  > packets is never labeled.
>  >
>  > If it's not a bug, it's preferable to avoid setting mpls-key with
>  > iptable for the PRE_ROUTING nf_hook.
> 
> I had not planned on the MPLS target to be used with the PRE_ROUTING hook.

Ok. Is what i'm thinking.

> 
>  > Second trouble, and i think it's more serious. You can't make difference
>  >
>  > for two flows with same IP src and dst address but with different port
>  > src and/or dst number. PRE_ROUTING dosen't work, so 2 packets comming
>  > from the same machine to the same machine get the same dst field :-(
>  > The ip_route_input function use IP src, dst address, input/output
>  > interface number, tos fied and optionnaly fwmark. So, you can't make any
>  > difference based on the source or destination port number or protocol.
> 
> So are you saying that if the MPLS target worked with PRE_ROUTING
> this problem would be solved?

Not completely. The only way i found to differentiate to flow for the 
same peer machine is to use nfmark to force the routing kernel mechanism 
  to create two differents dst entry (ie. two route cache entries)

> 
>  > Solution: I'll follow the PRE_ROUTING trak. I think it's possible to
>  > setup the dst field in netfilter mpls hook. So,
> 
> Each MOI can potentially have a dst (as part of the SET info).  So
> the the packets hitting PRE_ROUTING could use that, or a dst could be 
> built,
> that has the necessary info to redirect the packet to the MPLS layer.
> Another option is to ship the packet into the MPLS layer form inside the
> NF_HOOK, and return that is was dropped.

Ok. Perhaps this is the way to skip part of the ip routing stuff. Just 
keep the header verification and the segmentation stuff.

> 
>  > 1/ we can make difference between packet based on all field header
>  > 2/ we skipp low routing process
>  >
>  > What do you think about this ? I am wrong ?
> 
> I think it is good that you brought this up (support for port/protocol 
> based
> redirection).  Although I'm not sure how often it will be used.  MPLS isn't
> meant for microflow TE.

We would use this forwarding descrimination in conjonction with CR-LDP 
or/and RSVP-TE (we use i propriary stack for the moment).

> 
> Until we figure out a better way to do this, you could use a combination
> of iptables (do nfmark or dsmark based on protocol/port, making sure the
> aggregate route points out a mpls tunnel interface) and a nffwd or dsfwd
> instruction on the MOI which is attached to the mpls tunnel interface.
> 

Ok. I try it.

Olivier

-- 
  FTR&D/DAC/CPN
  Technopole Anticipa     | mailto:Oli...@fr...
  2, Avenue Pierre Marzin | Phone:  +(33) 2 96 05 28 80
  F-22307 LANNION         | Fax:    +(33) 2 96 05 18 52