[mpls-linux-general] Re: problems using netfilter

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi!

>> Excerpt from our configuration script:
>> 
>> ...
>> mplsadm -v -A -O gen:33:eth1:ipv4:192.168.2.3
>> 
>> KEY3=`grep 'gen 33' /proc/net/mpls_out | cut -d' ' -f1`
>> 
>> iptables -v -I PREROUTING -t mangle -d 192.168.6.1 \
>> -s 192.168.5.2 -j MPLS --set-mpls 0x$KEY3
>> 

>All seems correct. Can you send me the topology of the network ? Is 
>192.168.2.3 the Egress node ? Where do you perform this command ? on the 
>Ingress node ?
>
>I post some month ago (look at the mailing list) a version 0.4 of our 
>patch which resolved some pb., add TC support and let the user use 
>directly the label for iptables instead of the key.

We have attached a small eps-file showing the topology
of our network.
192.168.2.3 is not the egress but configured
as LSR. (For this example node 1 is the egress.) 
The above commands are executed at the ingress (node 4).
When we ping 192.168.6.1 from 192.168.5.2 we expect the traffic
to go via 192.168.2.3 (with label 33), but using tcpdump
on interface 192.168.3.3, we see that the traffic arrives
there. (The normal routing at the ingress points there.)

After the ping, we can see the following at the ingress:

# iptables -v -n -L -t mangle
Chain PREROUTING (policy ACCEPT 171 packets, 10624 bytes)
pkts bytes target   prot opt in  out   source        destination

  13 1092  MPLS     all  --  *   *     192.168.5.2   192.168.6.1
     MPLS index set to :0x40008403

# cat /proc/net/mpls_out
40008403 PUSH(gen 33) SET(eth1)

We couldn't find the newest patch (0.4) on the net.
The archive of this list doesn't provide it, neither does
the mpls-linux homepage at sourceforge. 
Could you please post it again? Maybe as a personal mail,
if you like.

>Can activate the trace i.e. perform mplsadm -d then ping 192.168.6.2 
>from 192.168.5.2 and look at the console kernel log. Normally you'll can 
>see some mpls stuff and especially the rt_next_sethop message telling 
>that you match the iptable rules.

We turned on debugging at the ingress, there are a lot of 
"normal" mpls messages (when we run our little script), but 
no messages later on (during the ping) and no rt_next_sethop message 
at all (problem here?)

# tail /var/log/messages
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: enter
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: labelspace(0)
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: exit
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: enter
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: labelspace(0)
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: exit
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: enter
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: labelspace(0)
Feb  5 18:41:18 bb4 kernel: mpls_set_labelspace: exit
Feb  5 18:41:18 bb4 kernel: mpls_add_out_label: enter
Feb  5 18:41:18 bb4 kernel: mpls_make_dst: enter
Feb  5 18:41:18 bb4 kernel: mpls_make_dst: before bind neighbor
Feb  5 18:41:18 bb4 kernel: mpls_make_dst: bind neighbor succeeded
Feb  5 18:41:18 bb4 kernel: mpls_make_dst: exit(cf420080)
Feb  5 18:41:18 bb4 kernel: mpls_info_default_moi_instruction: enter
Feb  5 18:41:18 bb4 kernel: mpls_info_default_moi_instruction: exit
Feb  5 18:41:18 bb4 kernel: Label GEN 33
Feb  5 18:41:18 bb4 kernel: Key GEN 33 3
Feb  5 18:41:18 bb4 kernel: mpls_add_out_label: exit

Thank you very much,

Uli & Daniel