[Jool-list] netfilter mode question or bug

Alberto Leiva ydahhrk at gmail.com
Mon Dec 23 22:28:11 CST 2019 

Adding filters complicates it a lot. I have a question: What's
stopping you from adding a TRACE target right before the Jool target?

for example

iptables -t raw -A PREROUTING <filters> -j TRACE
iptables -t raw -A PREROUTING <filters> -j JOOL (Jool arguments)

That would trace all packets right before they reach Jool.


On Mon, Dec 23, 2019 at 1:01 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>
> Hi Alberto
>
> I tested. Works well, but we need more information in log for better trace.
> Because jool siit and jool have same instance name. For example Default.
> I can't see which one instance matched.
>
> Dec 23 09:35:40 2019 kernel: : [263288.781040] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
> Dec 23 09:35:40 2019 kernel: : [263288.781401] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
> Dec 23 09:35:41 2019 kernel: : [263289.573935] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
> Dec 23 09:35:41 2019 kernel: : [263289.805122] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
> Dec 23 09:35:41 2019 kernel: : [263289.805456] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
> Dec 23 09:35:42 2019 kernel: : [263290.574131] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
> Dec 23 09:35:43 2019 kernel: : [263291.574381] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
> Dec 23 09:35:43 2019 kernel: : [263291.777504] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136 CODE:0
> Dec 23 09:35:43 2019 kernel: : [263291.885362] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
> Dec 23 09:35:44 2019 kernel: : [263292.574572] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
> Dec 23 09:35:45 2019 kernel: : [263293.574838] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>
> # Stateful instances
> +--------------------+-----------------+-----------+
> |          Namespace |            Name | Framework |
> +--------------------+-----------------+-----------+
> |   ffffffff80e868c0 |         default | netfilter |
> +--------------------+-----------------+-----------+
>
> # Stateles instances
> +--------------------+-----------------+-----------+
> |          Namespace |            Name | Framework |
> +--------------------+-----------------+-----------+
> |   ffffffff80e868c0 |         default | netfilter |
> +--------------------+-----------------+-----------+
>
> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
> JOOL:nat64 NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
>
> More information if is possible.
>
> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 action=nat46 nataddr=2001:db8::a mtu=1400 tos=3 eamt=no blacklist=no bib=no  .... other matched options
>
> Maybe filter option can be add.
>
> jool global update trace-filter [FILTER OPTIONS]
> --src IPv4,IPv6
> --dst IPv4,IPv6
> --sport
> --dport
> --tcp
> --udp
> --icmp
> --alg ftp|sip #future
>
> thank you for your effort.
>
> Fatih USTA
>
> On 21.12.2019 02:31, Alberto Leiva wrote:
>
> First draft:
> https://nicmx.github.io/Jool/en/usr-flags-global.html#trace
>
> the flag can be found in the latest commit in the master branch:
> https://github.com/NICMx/Jool
>
> On Fri, Dec 20, 2019 at 1:01 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>
> Please note that you might need to update that page in case your
> browser cached it, because I just updated it.
>
> On Fri, Dec 20, 2019 at 1:00 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>
> Currently, there is no tracing configuration flag. If you want, I can add it.
>
> For now, the closest thing is enabling debugging:
> https://nicmx.github.io/Jool/en/logging.html
>
> On Fri, Dec 20, 2019 at 12:12 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>
> I rebooted my system and it worked. But I don't understand why?
> One more question. How can I trace traffic inside jool like "iptables
> TRACE" for debugging.
>
> BTW:
> jool netfilter/iptables worked without reboot.
>
>
> Thanks.
>
> Fatih USTA
>
> On 19.12.2019 19:11, Alberto Leiva wrote:
>
> Did you try printing stats?
> https://jool.mx/en/usr-flags-stats.html
>
> If Jool is the one dropping the packets, they should tell you why.
>
> On Thu, Dec 19, 2019 at 9:46 AM Alberto Leiva <ydahhrk at gmail.com> wrote:
>
> I hate to be asking this question but, did you try rebooting and doing
> a clean run?
>
> Because it works fine for me, even in my 32/64-bit hybrid...
>
> On Thu, Dec 19, 2019 at 4:54 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>
> Hi
>
> I'm following this(https://www.jool.mx/en/run-vanilla.html) guide.
> IPTables mode working, but netfilter mode doesn't work. What am I
> missing? or is this a bug?
>
>
> jool_siit -V
> 4.0.6.2 i386
>
> ip{6}tables -V
> v1.6.0 i386
>
> uname -rm
> 3.16.76-4.custom x86_64
>
>
> PC1[eth0] <=>[eth1]Tranlator[eth2]<=>[eth0]PC2
>
>
> #PC1
> ip addr add 10.200.200.220/23 dev eth0
> ip route add 10.100.100.0/24 via 10.200.200.16
>
> #Translator
> ip addr add 10.200.200.16/23 dev eth1
> ip addr add 2001:db8:a::10.100.100.2/120 dev eth2
>
> sysctl -w net.ipv4.conf.all.forwarding=1
> sysctl -w net.ipv6.conf.all.forwarding=1
>
>
> ethtool --offload eth1 gro off
> ethtool --offload eth2 gro off
>
> lro already fixed off by kernel.
>
>
> jool_siit instance add default --netfilter --pool6 2001:db8:a::/96
>
>
> #PC2
> ip add add 2001:db8:a::10.100.100.11/120 dev eth0
> ip route add 2001:db8:a::10.200.200.0/119 via 2001:db8:a::10.100.100.2
>
>
>
> #Result of netfilter (on Translator)
>
> PC1>PC2
> 12:44:12.234494 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
> 9806, seq 1, length 64
> 12:44:12.234647 IP 10.200.200.16 > 10.200.200.220: ICMP net
> 10.100.100.11 unreachable, length 92
> 12:44:13.255748 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
> 9806, seq 2, length 64
> 12:44:13.255825 IP 10.200.200.16 > 10.200.200.220: ICMP net
> 10.100.100.11 unreachable, length 92
> 12:44:14.279628 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
> 9806, seq 3, length 64
> 12:44:14.279704 IP 10.200.200.16 > 10.200.200.220: ICMP net
> 10.100.100.11 unreachable, length 92
>
>
>
> -- Fatih USTA
> _______________________________________________
> Jool-list mailing list
> Jool-list at nic.mx
> https://mail-lists.nic.mx/listas/listinfo/jool-list

More information about the Jool-list mailing list