mpls-linux-general

[mpls-linux-general] problems using netfilter

[<due...@cs...>]

Hi all,

we have encountered some problems using
the mpls-iptables patch. We wanted to use
netfilter at the ingress node to bind labels
to specific ip traffic.
Here's what we did:
- first patched linux kernel 2.4.14 with mpls-linux-0.993
- second applied mpls-iptables-0.3 patch (.full patch)
- made menuconfig ("netfilter MPLS match support",
"Packet mangling/MPLS target support" + the "normal"
MPLS stuff)
- patched and compiled iptables 1.2.2

Excerpt from our configuration script:

...
mplsadm -v -A -O gen:33:eth1:ipv4:192.168.2.3

KEY3=`grep 'gen 33' /proc/net/mpls_out | cut -d' ' -f1`

iptables -v -I PREROUTING -t mangle -d 192.168.6.1 \
-s 192.168.5.2 -j MPLS --set-mpls 0x$KEY3


This all works so far (giving no error messages
from mplsadm or iptables), but the traffic seems
to be forwarded normally using the ip routing table,
although the packet counter of iptables shows that
the rule matched.

Has anybody experienced similar problems?
Which combination of the linux kernel/patches is known to be 
working best?


Thanks,

Uli & Daniel

Re: [mpls-linux-general] problems using netfilter

[James R. L. <jl...@mi...>]

Are you trying to use the patches from Olivier Dugeon?

I'm only partially familiar with exactly how to get them to work. You
might want to try the BETA version of mpls-linux that integrates much of
Olivier's work.

Grab the latest mpls-linux (1.127) via CVS at:

http://sourceforge.net/cvs/?group_id=3D15443

It contains a patch for a the linux kernel, and for iptables.

I'll be posting directions how to use iptables and mplsadm2 to create
the 'standard' 2 pc LSP (from the README.example in mpls-linux)

Jim

On Thu, Jan 31, 2002 at 12:22:41PM +0100, Ulrich D=FCrholz wrote:
>=20
> Hi all,
>=20
> we have encountered some problems using
> the mpls-iptables patch. We wanted to use
> netfilter at the ingress node to bind labels
> to specific ip traffic.
> Here's what we did:
> - first patched linux kernel 2.4.14 with mpls-linux-0.993
> - second applied mpls-iptables-0.3 patch (.full patch)
> - made menuconfig ("netfilter MPLS match support",
> "Packet mangling/MPLS target support" + the "normal"
> MPLS stuff)
> - patched and compiled iptables 1.2.2
>=20
> Excerpt from our configuration script:
>=20
> ...
> mplsadm -v -A -O gen:33:eth1:ipv4:192.168.2.3
>=20
> KEY3=3D`grep 'gen 33' /proc/net/mpls_out | cut -d' ' -f1`
>=20
> iptables -v -I PREROUTING -t mangle -d 192.168.6.1 \
> -s 192.168.5.2 -j MPLS --set-mpls 0x$KEY3
>=20
>=20
> This all works so far (giving no error messages
> from mplsadm or iptables), but the traffic seems
> to be forwarded normally using the ip routing table,
> although the packet counter of iptables shows that
> the rule matched.
>=20
> Has anybody experienced similar problems?
> Which combination of the linux kernel/patches is known to be=20
> working best?
>=20
>=20
> Thanks,
>=20
> Uli & Daniel
>=20
>=20
>=20
>=20
> _______________________________________________
> mpls-linux-general mailing list
> mpl...@li...
> https://lists.sourceforge.net/lists/listinfo/mpls-linux-general

--=20
James R. Leu

Re: [mpls-linux-general] problems using netfilter

[Olivier D. <Oli...@rd...>]

Hi,

Ulrich D=FCrholz wrote:

>=20
> Hi all,
>=20
> we have encountered some problems using
> the mpls-iptables patch. We wanted to use
> netfilter at the ingress node to bind labels
> to specific ip traffic.
> Here's what we did:
> - first patched linux kernel 2.4.14 with mpls-linux-0.993
> - second applied mpls-iptables-0.3 patch (.full patch)
> - made menuconfig ("netfilter MPLS match support",
> "Packet mangling/MPLS target support" + the "normal"
> MPLS stuff)
> - patched and compiled iptables 1.2.2
>=20
> Excerpt from our configuration script:
>=20
> ...
> mplsadm -v -A -O gen:33:eth1:ipv4:192.168.2.3
>=20
> KEY3=3D`grep 'gen 33' /proc/net/mpls_out | cut -d' ' -f1`
>=20
> iptables -v -I PREROUTING -t mangle -d 192.168.6.1 \
> -s 192.168.5.2 -j MPLS --set-mpls 0x$KEY3
>=20


All seems correct. Can you send me the topology of the network ? Is=20
192.168.2.3 the Egress node ? Where do you perform this command ? on =
the=20
Ingress node ?

I post some month ago (look at the mailing list) a version 0.4 of our=20
patch which resolved some pb., add TC support and let the user use=20
directly the label for iptables instead of the key.


>=20
> This all works so far (giving no error messages
> from mplsadm or iptables), but the traffic seems
> to be forwarded normally using the ip routing table,
> although the packet counter of iptables shows that
> the rule matched.
>=20


Can activate the trace i.e. perform mplsadm -d then ping 192.168.6.2=20
from 192.168.5.2 and look at the console kernel log. Normally you'll =
can=20
see some mpls stuff and especially the rt_next_sethop message telling=20
that you match the iptable rules.


Hope you this help,


Olivier

PS. Like Jim suggest take a look at the recent mpls cvs version.=20
Unfortunately i haven't any time to try it, but it seems greet.
--=20
  FTR&D/DAC/CPN
  Technopole Anticipa     | mailto:Oli...@fr...
  2, Avenue Pierre Marzin | Phone:  +(33) 2 96 05 28 80
  F-22307 LANNION         | Fax:    +(33) 2 96 05 18 52

Re: [mpls-linux-general] problems using netfilter

[Ulrich <due...@cs...>]

Hi Olivier!

> I post some month ago (look at the mailing list) a version 0.4 of our
> patch which resolved some pb., add TC support and let the user use
> directly the label for iptables instead of the key.


Could you (or maybe someone else from the list) please post this patch again?
The list archive at geocrawler doesn't save the attachments, and at that
time I was not subscribed yet.

Thanks a lot,

Uli