[Jool-list] RFC: Limiting EAM algorithm to specific header fields
Alberto Leiva
ydahhrk at gmail.com
Thu Jun 18 12:50:12 CDT 2015
> Here's the setup:
Ok, this did indeed click.
I'll gradually convert it into my setup and see where it breaks.
Thank you!
On Thu, Jun 18, 2015 at 1:42 AM, Tore Anderson <tore at fud.no> wrote:
> * Alberto Leiva <ydahhrk at gmail.com>
>
>> I'll test yours tomorrow :)
>
> Ok so now I re-did my test, and it works fine. Here's the setup:
>
> Ubuntu 14.04.2, kernel 3.13.0-55-generic, Jool from Git branch
> eam-disabled-fields (freshly fetched). One interface (eth0) with
> 185.47.41.5 and 2a02:c0:400:104:218:59ff:fe19:405 assigned, plus
> default routes for both protocols.
>
> Routing on upstream router:
>
> ip route add 2a02:c0::46:43:0:0/96 via 2a02:c0:400:104:218:59ff:fe19:405
> ip route add 185.47.43.0/24 via 185.47.41.5
>
> Jool's init script:
>
> modprobe jool_siit
> /usr/local/bin/jool_siit -6 -f
> /usr/local/bin/jool_siit -6 -a 2a02:c0::46:43:0:0/96
> /usr/local/bin/jool_siit -e -f
> /usr/local/bin/jool_siit -e -a 2a02:c0:200:104::1 185.47.43.1
> /usr/local/bin/jool_siit -e -a 2a02:c0:400:108::1 185.47.43.2
> /usr/local/bin/jool_siit --eam-enabled-fields 222
>
> So rule 3 of the "Simple Hairpinning" isn't implemented, but that makes
> no difference for the test below:
>
> On the host 2a02:c0:200:104::1, I send a TCP SYN packet towards
> [2a02:c0::46:43:185.47.43.2]:6145. This shows up in "tcpdump -i eth0
> port 6145 -en" on the Jool node as follows:
>
> 08:29:27.102565 e4:11:5b:9b:8f:29 > 00:18:59:19:04:05, ethertype IPv6 (0x86dd), length 74: 2a02:c0:200:104::1.42097 > 2a02:c0::46:43:b92f:2b02.6145: Flags [S], seq 2846414660, win 1480, length 0
>
> Initial packet received by Jool node (MAC 00:18:*) sent from the
> upstream router (MAC e4:11:*). No translation yet.
>
> 08:29:27.102639 00:18:59:19:04:05 > e4:11:5b:9b:8f:29, ethertype IPv4 (0x0800), length 54: 185.47.43.1.42097 > 185.47.43.2.6145: Flags [S], seq 2846414660, win 1480, length 0
>
> Standard IPv6 -> IPv4 translation has been performed by Jool and
> translated packet is egressing the Jool node. No hairpinning stuff has
> happened yet.
>
> 08:29:27.102747 e4:11:5b:9b:8f:29 > 00:18:59:19:04:05, ethertype IPv4 (0x0800), length 54: 185.47.43.1.42097 > 185.47.43.2.6145: Flags [S], seq 2846414660, win 1480, length 0
>
> Same packet as the one preceding it, only that it has made a U-turn in
> the upstream router (note how the MAC addresses have reversed).
>
> 08:29:27.102797 00:18:59:19:04:05 > e4:11:5b:9b:8f:29, ethertype IPv6 (0x86dd), length 74: 2a02:c0::46:43:b92f:2b01.42097 > 2a02:c0:400:108::1.6145: Flags [S], seq 2846414660, win 1480, length 0
>
> IPv6 -> IPv4 translation has been performed by Jool and the resulting
> packet is being forwarded back to the upstream router. The
> --eam-enabled-fields stuff came into play here as the source address
> was not translated according to the EAMT. Simple hairpinning success.
>
> Since there's nothing listening on port 6145 of the destination host,
> it originates a TCP reset which is hairpinned back the in the same way.
> This TCP reset is received by 2a02:c0:200:104::1 and the application
> gets a "Connection refused" error. So everything works just fine.
>
> 08:29:27.103374 e4:11:5b:9b:8f:29 > 00:18:59:19:04:05, ethertype IPv6 (0x86dd), length 74: 2a02:c0:400:108::1.6145 > 2a02:c0::46:43:b92f:2b01.42097: Flags [R.], seq 0, ack 2846414661, win 0, length 0
> 08:29:27.103387 00:18:59:19:04:05 > e4:11:5b:9b:8f:29, ethertype IPv4 (0x0800), length 54: 185.47.43.2.6145 > 185.47.43.1.42097: Flags [R.], seq 0, ack 2846414661, win 0, length 0
> 08:29:27.103481 e4:11:5b:9b:8f:29 > 00:18:59:19:04:05, ethertype IPv4 (0x0800), length 54: 185.47.43.2.6145 > 185.47.43.1.42097: Flags [R.], seq 0, ack 1, win 0, length 0
> 08:29:27.103495 00:18:59:19:04:05 > e4:11:5b:9b:8f:29, ethertype IPv6 (0x86dd), length 74: 2a02:c0::46:43:b92f:2b02.6145 > 2a02:c0:200:104::1.42097: Flags [R.], seq 0, ack 2846414661, win 0, length 0
>
> The relevant sysctl settings on the Jool node is as follows
> (rp_filter=1, even):
>
> $ grep . /proc/sys/net/ipv*/conf/{eth0,all}/*
> /proc/sys/net/ipv4/conf/eth0/accept_local:0
> /proc/sys/net/ipv4/conf/eth0/accept_redirects:1
> /proc/sys/net/ipv4/conf/eth0/accept_source_route:1
> /proc/sys/net/ipv4/conf/eth0/arp_accept:0
> /proc/sys/net/ipv4/conf/eth0/arp_announce:0
> /proc/sys/net/ipv4/conf/eth0/arp_filter:0
> /proc/sys/net/ipv4/conf/eth0/arp_ignore:0
> /proc/sys/net/ipv4/conf/eth0/arp_notify:0
> /proc/sys/net/ipv4/conf/eth0/bootp_relay:0
> /proc/sys/net/ipv4/conf/eth0/disable_policy:0
> /proc/sys/net/ipv4/conf/eth0/disable_xfrm:0
> /proc/sys/net/ipv4/conf/eth0/force_igmp_version:0
> /proc/sys/net/ipv4/conf/eth0/forwarding:0
> /proc/sys/net/ipv4/conf/eth0/igmpv2_unsolicited_report_interval:10000
> /proc/sys/net/ipv4/conf/eth0/igmpv3_unsolicited_report_interval:1000
> /proc/sys/net/ipv4/conf/eth0/log_martians:0
> /proc/sys/net/ipv4/conf/eth0/mc_forwarding:0
> /proc/sys/net/ipv4/conf/eth0/medium_id:0
> /proc/sys/net/ipv4/conf/eth0/promote_secondaries:0
> /proc/sys/net/ipv4/conf/eth0/proxy_arp:0
> /proc/sys/net/ipv4/conf/eth0/proxy_arp_pvlan:0
> /proc/sys/net/ipv4/conf/eth0/route_localnet:0
> /proc/sys/net/ipv4/conf/eth0/rp_filter:1
> /proc/sys/net/ipv4/conf/eth0/secure_redirects:1
> /proc/sys/net/ipv4/conf/eth0/send_redirects:1
> /proc/sys/net/ipv4/conf/eth0/shared_media:1
> /proc/sys/net/ipv4/conf/eth0/src_valid_mark:0
> /proc/sys/net/ipv4/conf/eth0/tag:0
> /proc/sys/net/ipv6/conf/eth0/accept_dad:1
> /proc/sys/net/ipv6/conf/eth0/accept_ra:2
> /proc/sys/net/ipv6/conf/eth0/accept_ra_defrtr:1
> /proc/sys/net/ipv6/conf/eth0/accept_ra_pinfo:1
> /proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen:0
> /proc/sys/net/ipv6/conf/eth0/accept_ra_rtr_pref:1
> /proc/sys/net/ipv6/conf/eth0/accept_redirects:1
> /proc/sys/net/ipv6/conf/eth0/accept_source_route:0
> /proc/sys/net/ipv6/conf/eth0/autoconf:1
> /proc/sys/net/ipv6/conf/eth0/dad_transmits:1
> /proc/sys/net/ipv6/conf/eth0/disable_ipv6:0
> /proc/sys/net/ipv6/conf/eth0/force_mld_version:0
> /proc/sys/net/ipv6/conf/eth0/force_tllao:0
> /proc/sys/net/ipv6/conf/eth0/forwarding:1
> /proc/sys/net/ipv6/conf/eth0/hop_limit:64
> /proc/sys/net/ipv6/conf/eth0/max_addresses:16
> /proc/sys/net/ipv6/conf/eth0/max_desync_factor:600
> /proc/sys/net/ipv6/conf/eth0/mc_forwarding:0
> /proc/sys/net/ipv6/conf/eth0/mldv1_unsolicited_report_interval:10000
> /proc/sys/net/ipv6/conf/eth0/mldv2_unsolicited_report_interval:1000
> /proc/sys/net/ipv6/conf/eth0/mtu:1500
> /proc/sys/net/ipv6/conf/eth0/ndisc_notify:0
> /proc/sys/net/ipv6/conf/eth0/proxy_ndp:0
> /proc/sys/net/ipv6/conf/eth0/regen_max_retry:3
> /proc/sys/net/ipv6/conf/eth0/router_probe_interval:60
> /proc/sys/net/ipv6/conf/eth0/router_solicitation_delay:1
> /proc/sys/net/ipv6/conf/eth0/router_solicitation_interval:4
> /proc/sys/net/ipv6/conf/eth0/router_solicitations:3
> /proc/sys/net/ipv6/conf/eth0/suppress_frag_ndisc:1
> /proc/sys/net/ipv6/conf/eth0/temp_prefered_lft:86400
> /proc/sys/net/ipv6/conf/eth0/temp_valid_lft:604800
> /proc/sys/net/ipv6/conf/eth0/use_tempaddr:2
> /proc/sys/net/ipv4/conf/all/accept_local:0
> /proc/sys/net/ipv4/conf/all/accept_redirects:1
> /proc/sys/net/ipv4/conf/all/accept_source_route:0
> /proc/sys/net/ipv4/conf/all/arp_accept:0
> /proc/sys/net/ipv4/conf/all/arp_announce:0
> /proc/sys/net/ipv4/conf/all/arp_filter:0
> /proc/sys/net/ipv4/conf/all/arp_ignore:0
> /proc/sys/net/ipv4/conf/all/arp_notify:0
> /proc/sys/net/ipv4/conf/all/bootp_relay:0
> /proc/sys/net/ipv4/conf/all/disable_policy:0
> /proc/sys/net/ipv4/conf/all/disable_xfrm:0
> /proc/sys/net/ipv4/conf/all/force_igmp_version:0
> /proc/sys/net/ipv4/conf/all/forwarding:0
> /proc/sys/net/ipv4/conf/all/igmpv2_unsolicited_report_interval:10000
> /proc/sys/net/ipv4/conf/all/igmpv3_unsolicited_report_interval:1000
> /proc/sys/net/ipv4/conf/all/log_martians:0
> /proc/sys/net/ipv4/conf/all/mc_forwarding:0
> /proc/sys/net/ipv4/conf/all/medium_id:0
> /proc/sys/net/ipv4/conf/all/promote_secondaries:0
> /proc/sys/net/ipv4/conf/all/proxy_arp:0
> /proc/sys/net/ipv4/conf/all/proxy_arp_pvlan:0
> /proc/sys/net/ipv4/conf/all/route_localnet:0
> /proc/sys/net/ipv4/conf/all/rp_filter:1
> /proc/sys/net/ipv4/conf/all/secure_redirects:1
> /proc/sys/net/ipv4/conf/all/send_redirects:1
> /proc/sys/net/ipv4/conf/all/shared_media:1
> /proc/sys/net/ipv4/conf/all/src_valid_mark:0
> /proc/sys/net/ipv4/conf/all/tag:0
> /proc/sys/net/ipv6/conf/all/accept_dad:1
> /proc/sys/net/ipv6/conf/all/accept_ra:1
> /proc/sys/net/ipv6/conf/all/accept_ra_defrtr:1
> /proc/sys/net/ipv6/conf/all/accept_ra_pinfo:1
> /proc/sys/net/ipv6/conf/all/accept_ra_rt_info_max_plen:0
> /proc/sys/net/ipv6/conf/all/accept_ra_rtr_pref:1
> /proc/sys/net/ipv6/conf/all/accept_redirects:1
> /proc/sys/net/ipv6/conf/all/accept_source_route:0
> /proc/sys/net/ipv6/conf/all/autoconf:1
> /proc/sys/net/ipv6/conf/all/dad_transmits:1
> /proc/sys/net/ipv6/conf/all/disable_ipv6:0
> /proc/sys/net/ipv6/conf/all/force_mld_version:0
> /proc/sys/net/ipv6/conf/all/force_tllao:0
> /proc/sys/net/ipv6/conf/all/forwarding:1
> /proc/sys/net/ipv6/conf/all/hop_limit:64
> /proc/sys/net/ipv6/conf/all/max_addresses:16
> /proc/sys/net/ipv6/conf/all/max_desync_factor:600
> /proc/sys/net/ipv6/conf/all/mc_forwarding:0
> /proc/sys/net/ipv6/conf/all/mldv1_unsolicited_report_interval:10000
> /proc/sys/net/ipv6/conf/all/mldv2_unsolicited_report_interval:1000
> /proc/sys/net/ipv6/conf/all/mtu:1280
> /proc/sys/net/ipv6/conf/all/ndisc_notify:0
> /proc/sys/net/ipv6/conf/all/proxy_ndp:0
> /proc/sys/net/ipv6/conf/all/regen_max_retry:3
> /proc/sys/net/ipv6/conf/all/router_probe_interval:60
> /proc/sys/net/ipv6/conf/all/router_solicitation_delay:1
> /proc/sys/net/ipv6/conf/all/router_solicitation_interval:4
> /proc/sys/net/ipv6/conf/all/router_solicitations:3
> /proc/sys/net/ipv6/conf/all/suppress_frag_ndisc:1
> /proc/sys/net/ipv6/conf/all/temp_prefered_lft:86400
> /proc/sys/net/ipv6/conf/all/temp_valid_lft:604800
> /proc/sys/net/ipv6/conf/all/use_tempaddr:2
>
> Hope that helps...
>
> Tore
More information about the Jool-list
mailing list