[mpls-linux-general] mpls and port filtering
Status: Beta
Brought to you by:
jleu
Menu
▾
▴
[mpls-linux-general] mpls and port filtering
|
From: Daniel T. <da...@un...> - 2002-02-21 12:17:59
|
Hi, is it possible to use mpls and netfilter to distinguish streams based also on their TCP/UDP port number? We are using the mpls configuration like the one described in the mini-howto, posted by Anatoly Asviyan and extended later by Radu Dragos (linux 2.4.17, mpls 1.1.2.7, iptables 1.2.4 etc.). In our scenario, the toplogy differs: traffic is not generated at the ingress itself, but at a neighbour mpls-unaware host. Therefore the iptables rules at the ingress do not use the OUTPUT, but the FORWARD chain (e.g. iptables -A FORWARD -p tcp --dport 44 -d 192.168.6.1 -j MPLS --set-key Ox00000002). This is were we encountered some "problems", it was possible to use different MPLS routing schemes as long as IP-address and protocoll were the only rule matches, but when using the port number, the behaviour was not what we expected. From the first time a packet matched the above rule, even other packets, using the same address and protocoll, but with a different port number (which should be routed using normal TCP/IP) were send along the established MPLS path. Besides that the above rule can not be easily deleted, flushing the chain is not sufficient, only deleting the labels has the desired effect. Has anyone experienced similar problems or is mpls+netfilter just not suited for this scenario? Thanks in advance, Daniel and Ulrich |
