Re: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools?
G Georgiev wrote: > Hi, > > Could not conceive an working set-up for an IPSEC VPN made with > racoon/setkey > on which I have one address on my side acting as an SNAT router for all > traffic from my network to a network segment on the far side. > > my network --- my gateway -- remote network > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > All traffic starts on my side, so if I can SNAT/MASQUERADE packets to > the > tunnel address (10.253.0.2) it shall work. This would have been possible with > FreeSwan, as it created network interfaces (ipsec0, ipsec1..), however with > setkey there is no way of making it. > > The VPN starts on the gateway, simply all traffic destinate to > 192.168.0.0/22 > should get an SNAT to 10.253.0.2 and go via the tunnel. SNAT however is > available only in POSTROUTING chain, and no outgoing interface really exists > with setkey. > > So, next rule should be implemented on the gateway: "Packets going to > 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" > > Some ideas? Starting with 2.6.16 the kernel supports NAT with IPsec and includes a "policy" match, which allows you to do similar things like the "-o ipsec0" matching done with klips. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Matching interface using U32(?)
Hello all, I am trying to make a little bit more complex QoS/Shapping form and I need to shape a PPPoE conection that I serve to my clients. So this is the scope: client connects using pppoe so it gets an IP address (from pppoe pool) and open an interface into my linux box interface for this client is ppp0 client has got an ip 1.1.1.2/32 and it is poiting to pppoe-server 1.1.1.1 So, if i want to shape download for this client its really easy and I make a htb rule that shapes all traffic into ppp0... My problem is when I have to shape upload traffic. All my traffic goes for eth0 to the world. I tryed to make this rule: $TC class add dev eth0 parent 1:1 classid 1:500 htb rate 200Kbit ceil 200Kbit $TC filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip src 1.1.1.2/32 flowid 1:500 But this rule is not matching the upload connection. If i put the same rule to an IP (i set an ip into client) this rule works but into pppoe conection it did not work properly. Someone has some tip to match the interface that the conection is coming from? Like I wanna match all traffic coming from ppp0 and going throw eth0 to be shapped?! There is anyway to make this work? Att, Nataniel Klug ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] where i can find this netem patch?
Hi, I need help finding this patch that Stephen made. He sent me a patch, but i do not think its related to the patch that solved this problem. I will include the patch he did forward to me at the bottom. However here is the problem, i even rtied his misspelling of change :) thorium-ini 15849-tests # tc qdisc add dev ath0 root handle 1:0 netem drop 0% thorium-ini 15849-tests # tc qdisc add dev ath0 parent 1:1 handle 10: xcp capacity 54Mbit limit 500 thorium-ini 15849-tests # tc qdisc change dev ath0 root handle 1:0 netem drop 1% RTNETLINK answers: Invalid argument thorium-ini 15849-tests # tc qdisc chang dev ath0 root handle 1:0 netem drop 1% RTNETLINK answers: Invalid argument thorium-ini 15849-tests # tc qdisc change dev ath0 root handle 1: netem drop 1% RTNETLINK answers: Invalid argument here is the patch i was forwarded, but did not solve this problem: --- linux-2.6.orig/net/sched/sch_netem.c +++ linux-2.6/net/sched/sch_netem.c @@ -167,7 +167,7 @@ static int netem_enqueue(struct sk_buff if (count == 0) { sch->qstats.drops++; kfree_skb(skb); - return NET_XMIT_DROP; + return NET_XMIT_BYPASS; } /* I'd greatly appreciate any help solving the change problem. Thanks! George Stephen Hemminger wrote: > Loss was broken, patch sent. > > The following works now: > > # tc qdisc add dev eth1 root handle 1:0 netem loss 20% > > # tc qdisc add dev eth1 parent 1:1 handle 10: tbf \ > rate 256kbit buffer 1600 limit 3000 > # ping -f -c 1000 shell > > 1000 packets transmitted, 781 received, 21% packet loss, time 3214ms > rtt min/avg/max/mdev = 0.187/0.398/3.763/0.730 ms, ipg/ewma 3.217/0.538 ms > > # tc qdisc chang dev eth1 handle 1: netem loss 1% > # ping -f -c 1000 shell > > 1000 packets transmitted, 990 received, 1% packet loss, time 2922ms > rtt min/avg/max/mdev = 0.187/2.739/3.298/0.789 ms, ipg/ewma 2.924/2.084 ms > > > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools?
Thanks, Will try out that - will upgrade the kernel and see how it works. George. On Friday 05 May 2006 09:39 am, Patrick McHardy wrote: > G Georgiev wrote: > > Hi, > > > > Could not conceive an working set-up for an IPSEC VPN made with > > racoon/setkey on which I have one address on my side acting as an SNAT > > router for all traffic from my network to a network segment on the far > > side. > > > > my network --- my gateway -- remote network > > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > > > All traffic starts on my side, so if I can SNAT/MASQUERADE packets to > > the tunnel address (10.253.0.2) it shall work. This would have been > > possible with FreeSwan, as it created network interfaces (ipsec0, > > ipsec1..), however with setkey there is no way of making it. > > > > The VPN starts on the gateway, simply all traffic destinate to > > 192.168.0.0/22 should get an SNAT to 10.253.0.2 and go via the tunnel. > > SNAT however is available only in POSTROUTING chain, and no outgoing > > interface really exists with setkey. > > > > So, next rule should be implemented on the gateway: "Packets going to > > 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" > > > > Some ideas? > > Starting with 2.6.16 the kernel supports NAT with IPsec and includes > a "policy" match, which allows you to do similar things like > the "-o ipsec0" matching done with klips. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: [Netem] where i can find this netem patch?
On Fri, 05 May 2006 11:08:23 -0400 George Nychis <[EMAIL PROTECTED]> wrote: > Hi, > > I need help finding this patch that Stephen made. > > He sent me a patch, but i do not think its related to the patch that > solved this problem. I will include the patch he did forward to me at > the bottom. > However here is the problem, i even rtied his misspelling of change :) > > thorium-ini 15849-tests # tc qdisc add dev ath0 root handle 1:0 netem > drop 0% > thorium-ini 15849-tests # tc qdisc add dev ath0 parent 1:1 handle 10: > xcp capacity 54Mbit limit 500 > thorium-ini 15849-tests # tc qdisc change dev ath0 root handle 1:0 netem > drop 1% > RTNETLINK answers: Invalid argument > The problem was you are giving handle 1:0 so the change request was going to xcp. And xcp doesn't understand netem rtnetlink message. You want to do: # tc qdisc change dev ath0 root netem drop 1% ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iptables time match mangle stage
Hi I am having problems trying to get a time match with iptables 1.3.5 and the latest pom it says time match only works in the prerouting stage but I really need to use the classify command which only works in the postrouting. Does any one have a patch for 2.6 kernel, latest pom and iptables 1.3.5 so time matching can occur in the post routing? machinenemae login: ipt_time loading ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT) many thanks william ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iptables CLASSIFY vs fwmark?
Could someone comment on the benefits of using CLASSIFY vs fwmark (or vice versa) in iptables? I'm getting ready to implement some basic tc for VoIP and most of the examples seem to use the (older?) fwmark syntax. Should I convert these to CLASSIFY? Can the two syntaxes be mixed? Also with U32? TIA, Edwin -- <=+=+=+==+=+=+==+=+=+=+=+=+=+=+=> Edwin Whitelaw, P.E. New River Valley Unwired, LLC 2200 Lonesome Dove Dr Christiansburg, VA 24073 540-239-0318 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc