<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
You're right, I can write the iptables trace rule. It's just an idea
for a better trace in jool. If I have 1Gbit traffic when I enable
trace, many logs will come. Actually not important.<br>
<br>
Last thing, it would be nice to have ID into log for package
relation like iptables.<br>
<br>
TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF
PROTO=ICMP TYPE=8 CODE=0 <b>ID=13069</b> SEQ=1 <br>
TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF
PROTO=ICMP TYPE=8 CODE=0 <b>ID=13069</b> SEQ=1 <br>
TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF
PROTO=ICMP TYPE=8 CODE=0 <b>ID=13069</b> SEQ=1 <br>
<p>Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220
DST:10.100.100.11 TYPE:8 CODE:0</p>
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2
SRC=2001:0db8:000a:0000:0000:0000:0ac8:c8dc
DST=2001:0db8:000a:0000:0000:0000:0a64:640b LEN=104 TC=0 HOPLIMIT=63
FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0<b> ID=13069</b> SEQ=1 <br>
TRACE: raw:PREROUTING:policy:2 IN=eth2 OUT=
MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd
SRC=2001:0db8:000a:0000:0000:0000:0a64:640b
DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64
FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 <b>ID=13069</b> SEQ=1 <br>
TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd
SRC=2001:0db8:000a:0000:0000:0000:0a64:640b
DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64
FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 <b>ID=13069</b> SEQ=1 <br>
<p>Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b
DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0</p>
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11
DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52293
PROTO=ICMP TYPE=0 CODE=0 <b>ID=13069</b> SEQ=1 <br>
<br>
<br>
<pre class="moz-signature" cols="72">Fatih USTA</pre>
<div class="moz-cite-prefix">On 24.12.2019 07:28, Alberto Leiva
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAA0dE=XTYwE2fzXH=aDAGHWA23-V_M2a4jPt+vfxny2tytZreQ@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">Adding filters complicates it a lot. I have a question: What's
stopping you from adding a TRACE target right before the Jool target?
for example
iptables -t raw -A PREROUTING <filters> -j TRACE
iptables -t raw -A PREROUTING <filters> -j JOOL (Jool arguments)
That would trace all packets right before they reach Jool.
On Mon, Dec 23, 2019 at 1:01 AM Fatih USTA <a class="moz-txt-link-rfc2396E" href="mailto:fatihusta86@gmail.com"><fatihusta86@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Hi Alberto
I tested. Works well, but we need more information in log for better trace.
Because jool siit and jool have same instance name. For example Default.
I can't see which one instance matched.
Dec 23 09:35:40 2019 kernel: : [263288.781040] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
Dec 23 09:35:40 2019 kernel: : [263288.781401] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
Dec 23 09:35:41 2019 kernel: : [263289.573935] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:41 2019 kernel: : [263289.805122] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
Dec 23 09:35:41 2019 kernel: : [263289.805456] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
Dec 23 09:35:42 2019 kernel: : [263290.574131] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:43 2019 kernel: : [263291.574381] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:43 2019 kernel: : [263291.777504] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136 CODE:0
Dec 23 09:35:43 2019 kernel: : [263291.885362] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
Dec 23 09:35:44 2019 kernel: : [263292.574572] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:45 2019 kernel: : [263293.574838] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
# Stateful instances
+--------------------+-----------------+-----------+
| Namespace | Name | Framework |
+--------------------+-----------------+-----------+
| ffffffff80e868c0 | default | netfilter |
+--------------------+-----------------+-----------+
# Stateles instances
+--------------------+-----------------+-----------+
| Namespace | Name | Framework |
+--------------------+-----------------+-----------+
| ffffffff80e868c0 | default | netfilter |
+--------------------+-----------------+-----------+
JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
JOOL:nat64 NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
More information if is possible.
JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 action=nat46 nataddr=2001:db8::a mtu=1400 tos=3 eamt=no blacklist=no bib=no .... other matched options
Maybe filter option can be add.
jool global update trace-filter [FILTER OPTIONS]
--src IPv4,IPv6
--dst IPv4,IPv6
--sport
--dport
--tcp
--udp
--icmp
--alg ftp|sip #future
thank you for your effort.
Fatih USTA
On 21.12.2019 02:31, Alberto Leiva wrote:
First draft:
<a class="moz-txt-link-freetext" href="https://nicmx.github.io/Jool/en/usr-flags-global.html#trace">https://nicmx.github.io/Jool/en/usr-flags-global.html#trace</a>
the flag can be found in the latest commit in the master branch:
<a class="moz-txt-link-freetext" href="https://github.com/NICMx/Jool">https://github.com/NICMx/Jool</a>
On Fri, Dec 20, 2019 at 1:01 PM Alberto Leiva <a class="moz-txt-link-rfc2396E" href="mailto:ydahhrk@gmail.com"><ydahhrk@gmail.com></a> wrote:
Please note that you might need to update that page in case your
browser cached it, because I just updated it.
On Fri, Dec 20, 2019 at 1:00 PM Alberto Leiva <a class="moz-txt-link-rfc2396E" href="mailto:ydahhrk@gmail.com"><ydahhrk@gmail.com></a> wrote:
Currently, there is no tracing configuration flag. If you want, I can add it.
For now, the closest thing is enabling debugging:
<a class="moz-txt-link-freetext" href="https://nicmx.github.io/Jool/en/logging.html">https://nicmx.github.io/Jool/en/logging.html</a>
On Fri, Dec 20, 2019 at 12:12 AM Fatih USTA <a class="moz-txt-link-rfc2396E" href="mailto:fatihusta86@gmail.com"><fatihusta86@gmail.com></a> wrote:
I rebooted my system and it worked. But I don't understand why?
One more question. How can I trace traffic inside jool like "iptables
TRACE" for debugging.
BTW:
jool netfilter/iptables worked without reboot.
Thanks.
Fatih USTA
On 19.12.2019 19:11, Alberto Leiva wrote:
Did you try printing stats?
<a class="moz-txt-link-freetext" href="https://jool.mx/en/usr-flags-stats.html">https://jool.mx/en/usr-flags-stats.html</a>
If Jool is the one dropping the packets, they should tell you why.
On Thu, Dec 19, 2019 at 9:46 AM Alberto Leiva <a class="moz-txt-link-rfc2396E" href="mailto:ydahhrk@gmail.com"><ydahhrk@gmail.com></a> wrote:
I hate to be asking this question but, did you try rebooting and doing
a clean run?
Because it works fine for me, even in my 32/64-bit hybrid...
On Thu, Dec 19, 2019 at 4:54 AM Fatih USTA <a class="moz-txt-link-rfc2396E" href="mailto:fatihusta86@gmail.com"><fatihusta86@gmail.com></a> wrote:
Hi
I'm following this(<a class="moz-txt-link-freetext" href="https://www.jool.mx/en/run-vanilla.html">https://www.jool.mx/en/run-vanilla.html</a>) guide.
IPTables mode working, but netfilter mode doesn't work. What am I
missing? or is this a bug?
jool_siit -V
4.0.6.2 i386
ip{6}tables -V
v1.6.0 i386
uname -rm
3.16.76-4.custom x86_64
PC1[eth0] <=>[eth1]Tranlator[eth2]<=>[eth0]PC2
#PC1
ip addr add 10.200.200.220/23 dev eth0
ip route add 10.100.100.0/24 via 10.200.200.16
#Translator
ip addr add 10.200.200.16/23 dev eth1
ip addr add 2001:db8:a::10.100.100.2/120 dev eth2
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
ethtool --offload eth1 gro off
ethtool --offload eth2 gro off
lro already fixed off by kernel.
jool_siit instance add default --netfilter --pool6 2001:db8:a::/96
#PC2
ip add add 2001:db8:a::10.100.100.11/120 dev eth0
ip route add 2001:db8:a::10.200.200.0/119 via 2001:db8:a::10.100.100.2
#Result of netfilter (on Translator)
PC1>PC2
12:44:12.234494 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 1, length 64
12:44:12.234647 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
12:44:13.255748 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 2, length 64
12:44:13.255825 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
12:44:14.279628 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 3, length 64
12:44:14.279704 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
-- Fatih USTA
_______________________________________________
Jool-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Jool-list@nic.mx">Jool-list@nic.mx</a>
<a class="moz-txt-link-freetext" href="https://mail-lists.nic.mx/listas/listinfo/jool-list">https://mail-lists.nic.mx/listas/listinfo/jool-list</a>
</pre>
</blockquote>
</blockquote>
</body>
</html>