Thread: [mpls-linux-general] DNAT & MPLS
Status: Beta
Brought to you by:
jleu
Menu
▾
▴
mpls-linux-general
|
From: Antonio M. <ant...@mu...> - 2003-07-09 12:46:48
|
Hello, I ma doing some testing with Linux + MPLS (/proc/net/mpls_version = 01010702) My test network is made by a front-end dispatcher (public IP address) that receive MPLS traffic and many back-end servers (private IP address). I'd like to dispatch the incoming traffic directed to the public IP address based on the MPLS label it carries. Simple Net: client ---> dispatcher (130.192.a.b) -->n back-end (192.168.c.x) let's assume a client send IP traffic to 130.192.a.b (dispatcher) with a MPLS label = 255 I'd like to set an iptables rule on the dispatcher as: iptables -t nat -A PREROUTING -d 130.192.a.b -j DNAT --to 192.168.c.x this works fine for IP. How can I modify it to match the MPLS label (255)? Is there a way to match an incoming packet based on the MPLS it carries? Thanks a lot and excuse my English :))) Antonio |
|
From: James R. L. <jl...@mi...> - 2003-07-09 21:59:19
|
What if you could mark the packet based on incoming label (nfmark or tcindex)? Would that help? On Wed, Jul 09, 2003 at 02:46:30PM +0200, Antonio Mancuso wrote: > Hello, > I ma doing some testing with Linux + MPLS (/proc/net/mpls_version = 01010702) > My test network is made by a front-end dispatcher (public IP address) that receive MPLS traffic > and many back-end servers (private IP address). > > I'd like to dispatch the incoming traffic directed to the public IP address > based on the MPLS label it carries. > > Simple Net: > > client ---> dispatcher (130.192.a.b) -->n back-end (192.168.c.x) > > let's assume a client send IP traffic to 130.192.a.b (dispatcher) with a MPLS label = 255 > I'd like to set an iptables rule on the dispatcher as: > > iptables -t nat -A PREROUTING -d 130.192.a.b -j DNAT --to 192.168.c.x > > this works fine for IP. How can I modify it to match the MPLS label (255)? > Is there a way to match an incoming packet based on the MPLS it carries? > > Thanks a lot and excuse my English :))) > > Antonio > > > > > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Parasoft > Error proof Web apps, automate testing & more. > Download & eval WebKing and get a free book. > www.parasoft.com/bulletproofapps > _______________________________________________ > mpls-linux-general mailing list > mpl...@li... > https://lists.sourceforge.net/lists/listinfo/mpls-linux-general -- James R. Leu |
|
From: Antonio M. <ant...@mu...> - 2003-07-10 13:40:05
|
This solution can definitely work, but I need a iptables match module for MPLS. I think I need something like: iptables -t mangle -A PREROUTING -d <public IP> -m MPLS <incoming label> -j MARK --set-mark 10 iptables -t nat -A PREROUTING -d <public IP> -m MARK 10 -j DNAT --to <private IP> and this will solve my problem, but I think if I can have a matching module for MPLS label I can use something like this: iptables -t nat -A PREROUTING -d <public IP> -m MPLS <incoming label> -j DNAT --to <private IP> So what I am missing is how to mark a packet based on the MPLS label. Thnx, Antonio On Wednesday 09 July 2003, alle 16:59, James R. Leu wrote: > What if you could mark the packet based on incoming label (nfmark or tcindex)? > Would that help? > > On Wed, Jul 09, 2003 at 02:46:30PM +0200, Antonio Mancuso wrote: > > Hello, > > I ma doing some testing with Linux + MPLS (/proc/net/mpls_version = 01010702) > > My test network is made by a front-end dispatcher (public IP address) that receive MPLS traffic > > and many back-end servers (private IP address). > > > > I'd like to dispatch the incoming traffic directed to the public IP address > > based on the MPLS label it carries. > > > > Simple Net: > > > > client ---> dispatcher (130.192.a.b) -->n back-end (192.168.c.x) > > > > let's assume a client send IP traffic to 130.192.a.b (dispatcher) with a MPLS label = 255 > > I'd like to set an iptables rule on the dispatcher as: > > > > iptables -t nat -A PREROUTING -d 130.192.a.b -j DNAT --to 192.168.c.x > > > > this works fine for IP. How can I modify it to match the MPLS label (255)? > > Is there a way to match an incoming packet based on the MPLS it carries? > > > > Thanks a lot and excuse my English :))) > > > > Antonio > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Parasoft > > Error proof Web apps, automate testing & more. > > Download & eval WebKing and get a free book. > > www.parasoft.com/bulletproofapps > > _______________________________________________ > > mpls-linux-general mailing list > > mpl...@li... > > https://lists.sourceforge.net/lists/listinfo/mpls-linux-general > > -- > James R. Leu |
|
From: James R. L. <jl...@mi...> - 2003-07-10 14:17:01
|
On Thu, Jul 10, 2003 at 03:39:47PM +0200, Antonio Mancuso wrote:
> This solution can definitely work, but I need a iptables match module for MPLS.
> I think I need something like:
Why?
1. By the time iptables gets the packet, the MPLS header has been removed.
2. You already have a mechanism for exact matches based on the incoming
label, its called the ILM (incoming label map) and is inherent to any
MPLS implementation (including mine).
>
> iptables -t mangle -A PREROUTING -d <public IP> -m MPLS <incoming label> -j MARK --set-mark 10
> iptables -t nat -A PREROUTING -d <public IP> -m MARK 10 -j DNAT --to <private IP>
If "set NF" is implemented you would be able to do:
mplsadm2 -A -I gen:255:0
mplsadm2 -I gen:255:0 -i set_nf:MARK:pop:peek
iptables -t nat -A PREROUTING -d <public IP> -m MARK 10 -j DNAT --to <private
IP>
> and this will solve my problem, but I think if I can have a matching module for MPLS label
> I can use something like this:
>
> iptables -t nat -A PREROUTING -d <public IP> -m MPLS <incoming label> -j DNAT --to <private IP>
>
> So what I am missing is how to mark a packet based on the MPLS label.
>
> Thnx,
> Antonio
>
>
>
>
>
> On Wednesday 09 July 2003, alle 16:59, James R. Leu wrote:
> > What if you could mark the packet based on incoming label (nfmark or tcindex)?
> > Would that help?
> >
> > On Wed, Jul 09, 2003 at 02:46:30PM +0200, Antonio Mancuso wrote:
> > > Hello,
> > > I ma doing some testing with Linux + MPLS (/proc/net/mpls_version = 01010702)
> > > My test network is made by a front-end dispatcher (public IP address) that receive MPLS traffic
> > > and many back-end servers (private IP address).
> > >
> > > I'd like to dispatch the incoming traffic directed to the public IP address
> > > based on the MPLS label it carries.
> > >
> > > Simple Net:
> > >
> > > client ---> dispatcher (130.192.a.b) -->n back-end (192.168.c.x)
> > >
> > > let's assume a client send IP traffic to 130.192.a.b (dispatcher) with a MPLS label = 255
> > > I'd like to set an iptables rule on the dispatcher as:
> > >
> > > iptables -t nat -A PREROUTING -d 130.192.a.b -j DNAT --to 192.168.c.x
> > >
> > > this works fine for IP. How can I modify it to match the MPLS label (255)?
> > > Is there a way to match an incoming packet based on the MPLS it carries?
> > >
> > > Thanks a lot and excuse my English :)))
> > >
> > > Antonio
> > >
> > > -------------------------------------------------------
> > > This SF.Net email sponsored by: Parasoft
> > > Error proof Web apps, automate testing & more.
> > > Download & eval WebKing and get a free book.
> > > www.parasoft.com/bulletproofapps
> > > _______________________________________________
> > > mpls-linux-general mailing list
> > > mpl...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mpls-linux-general
> >
> > --
> > James R. Leu
--
James R. Leu
|
|
From: Antonio M. <ant...@mu...> - 2003-07-10 16:39:37
|
Thanks for your answer, but I think I still have some problems. :)) if I do: mplsadm2 -L tap0:0 mplsadm2 -A -I gen:255:0 and then mplsadm2 -I gen:255:0 -i set_nf:10:pop:peek I get: SET-SIOCGIFINDEX: No such device > If "set NF" is implemented you would be able to do: How can I check if I have set NF implemented? I am using the kernel|iproute|iptables patches found on sourceforge.net (V 1.172) In the README file it's just mentioned set_tc and set_ds. If you know a place where I can get some documentation more detailed than the one with the patch, may be I can avoid to post on this list. :)) Thanx, Antonio On Thursday 10 July 2003, alle 09:16, James R. Leu wrote: > On Thu, Jul 10, 2003 at 03:39:47PM +0200, Antonio Mancuso wrote: > > This solution can definitely work, but I need a iptables match module for MPLS. > > I think I need something like: > > Why? > > 1. By the time iptables gets the packet, the MPLS header has been removed. > 2. You already have a mechanism for exact matches based on the incoming > label, its called the ILM (incoming label map) and is inherent to any > MPLS implementation (including mine). > > > > > iptables -t mangle -A PREROUTING -d <public IP> -m MPLS <incoming label> -j MARK --set-mark 10 > > iptables -t nat -A PREROUTING -d <public IP> -m MARK 10 -j DNAT --to <private IP> > > If "set NF" is implemented you would be able to do: > > mplsadm2 -A -I gen:255:0 > mplsadm2 -I gen:255:0 -i set_nf:MARK:pop:peek > iptables -t nat -A PREROUTING -d <public IP> -m MARK 10 -j DNAT --to <private > IP> > > > and this will solve my problem, but I think if I can have a matching module for MPLS label > > I can use something like this: > > > > iptables -t nat -A PREROUTING -d <public IP> -m MPLS <incoming label> -j DNAT --to <private IP> > > > > So what I am missing is how to mark a packet based on the MPLS label. > > > > Thnx, > > Antonio > > > > > -- > James R. Leu |
|
From: James R. L. <jl...@mi...> - 2003-07-11 03:31:27
|
See comments in line. On Thu, Jul 10, 2003 at 06:29:33PM +0200, Antonio Mancuso wrote: > Thanks for your answer, > but I think I still have some problems. :)) > > if I do: > mplsadm2 -L tap0:0 > mplsadm2 -A -I gen:255:0 > > and then > > mplsadm2 -I gen:255:0 -i set_nf:10:pop:peek > > I get: > SET-SIOCGIFINDEX: No such device > > > If "set NF" is implemented you would be able to do: That was meant to be an offer by me to implement the feature (it doesn't exist yet) If you think if will work for you I can implement it then release a new RPM. > How can I check if I have set NF implemented? > I am using the kernel|iproute|iptables patches found on sourceforge.net (V 1.172) > > In the README file it's just mentioned set_tc and set_ds. > > If you know a place where I can get some documentation > more detailed than the one with the patch, may be I can avoid to post on this list. :)) > > Thanx, > Antonio > > > > On Thursday 10 July 2003, alle 09:16, James R. Leu wrote: > > On Thu, Jul 10, 2003 at 03:39:47PM +0200, Antonio Mancuso wrote: > > > This solution can definitely work, but I need a iptables match module for MPLS. > > > I think I need something like: > > > > Why? > > > > 1. By the time iptables gets the packet, the MPLS header has been removed. > > 2. You already have a mechanism for exact matches based on the incoming > > label, its called the ILM (incoming label map) and is inherent to any > > MPLS implementation (including mine). > > > > > > > > iptables -t mangle -A PREROUTING -d <public IP> -m MPLS <incoming label> -j MARK --set-mark 10 > > > iptables -t nat -A PREROUTING -d <public IP> -m MARK 10 -j DNAT --to <private IP> > > > > If "set NF" is implemented you would be able to do: > > > > mplsadm2 -A -I gen:255:0 > > mplsadm2 -I gen:255:0 -i set_nf:MARK:pop:peek > > iptables -t nat -A PREROUTING -d <public IP> -m MARK 10 -j DNAT --to <private > > IP> > > > > > and this will solve my problem, but I think if I can have a matching module for MPLS label > > > I can use something like this: > > > > > > iptables -t nat -A PREROUTING -d <public IP> -m MPLS <incoming label> -j DNAT --to <private IP> > > > > > > So what I am missing is how to mark a packet based on the MPLS label. > > > > > > Thnx, > > > Antonio > > > > > > > > -- > > James R. Leu -- James R. Leu |
Thanks for helping keep SourceForge clean.
X