[Jool-list] netfilter mode question or bug
Fatih USTA
fatihusta86 at gmail.com
Wed Apr 1 02:12:45 CDT 2020
Thank you for information and efforts.
Fatih USTA
On 31.03.2020 20:39, Alberto Leiva wrote:
> By the way:
>
> I'm about to release the next official version of Jool. Since the
> current implementation of trace was found to be less than ideal
> (because it prints during (a) and we're still evaluating ideas), I've
> decided to leave it out of the release. Don't worry; all this means is
> that the flag will not be documented in the website. For what it's
> worth, the trace code is still available and usable. But it's also
> bound to be changed in the next release.
>
> On Tue, Mar 31, 2020 at 11:19 AM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>> No one ever wants to print debug messages on the production
>>> system(embedded).
>> Some alarms are going off in my head.
>> Are you implying that you're enabling trace in a production system?
>> Do you do this temporarily? Or is it permanent?
>>
>> If you do it permanently, then are you sure BIB logging isn't enough?
>> It is all you need if you want to track the source of a request.
>> https://jool.mx/en/usr-flags-global.html#logging-bib
>>
>>> two lines
>>>
>>> (ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>>> (ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
>> Here's another observation: If a packet translation fails, then trace
>> will not tell you why. Only debug will. So trace is not the best tool
>> for debugging.
>>
>> Here's an example of a failed translation, reported by debug:
>>
>> Jool: ===============================================
>> Jool: Jool instance 'default': Received a v6 packet.
>> Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
>> Jool: Step 1: Determining the Incoming Tuple
>> Jool: Tuple: 2001:db8::5#2000 -> 64:ff9b::c000:205#4000 (UDP)
>> Jool: Done step 1.
>> Jool: Step 2: Filtering and Updating
>> Jool: BIB entry: 2001:db8::5#2000 - 192.0.2.2#2000 (UDP)
>> Jool: Session entry: 2001:db8::5#2000 - 64:ff9b::c000:205#4000 |
>> 192.0.2.2#2000 - 192.0.2.5#4000 (UDP)
>> Jool: Done: Step 2.
>> Jool: Step 3: Computing the Outgoing Tuple
>> Jool: Tuple: 192.0.2.2#2000 -> 192.0.2.5#4000 (UDP)
>> Jool: Done step 3.
>> Jool: Step 4: Translating the Packet
>> Jool: Done step 4.
>> Jool: Packet routed via device 'to_world_v4'.
>> Jool: Sending skb.
>> Jool: Packet is too big (len: 1261, mtu: 1000).
>> Jool: Sending ICMPv6 error: ICMPERR_FRAG_NEEDED, type: 2, code: 0,
>> rest: 1280
>> Jool: Dropping packet.
>>
>>> I'm not sure, Perhaps the debug option may be merge with trace.
>> This might be the best option if tracing something in all the steps
>> (a, b, c and d) is optimal.
>>
>> Proposal: Upgrade the most important debug messages so they'll also
>> appear when trace is enabled.
>>
>> Eg. if this is debug logging:
>>
>> Jool: ===============================================
>> Jool: Jool instance 'abcd/default/nat64': Received a v6 packet.
>> Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
>> Jool: Step 1: Determining the Incoming Tuple
>> Jool: In Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
>> Jool: Done step 1.
>> Jool: Step 2: Filtering and Updating
>> Jool: BIB entry: 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP)
>> Jool: Session entry: 2001:db8::5#25567 - 64:ff9b::c000:205#25567 |
>> 192.0.2.2#2949 - 192.0.2.5#2949 (ICMP)
>> Jool: Done: Step 2.
>> Jool: Step 3: Computing the Outgoing Tuple
>> Jool: Out Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
>> Jool: Done step 3.
>> Jool: Step 4: Translating the Packet
>> Jool: Done step 4.
>> Jool: Packet routed via device 'to_world_v4'.
>> Jool: Sending skb.
>> Jool: Sent.
>>
>> Then make it so the following is printed by trace:
>>
>> Jool: Jool instance 'abcd/default/nat64': Received a v6 packet.
>> Jool: In Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
>> Jool: Out Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
>> Jool: Sent.
>>
>> That's one message for every step. And if the user want to see the BIB
>> as well, they can enable bib-logging as well.
>>
>> Advantages:
>> 1. Generates less code clutter than specialized messages.
>> 2. Prints something in every relevant step.
>>
>> Disadvantages:
>> 1. Does not print error messages.
>>
>> Another possible solution: Upgrade debug messages to a global
>> configuration value.
>> That is, never remove debug messages from a binary, but only print
>> them if the user ran `jool global update debug true`.
>>
>> Advantages:
>> 1. Minimal code clutter.
>> 2. Most user friendly; you don't need to recompile the whole thing if
>> you want to improvise some debugging.
>> 3. You can see error messages.
>>
>> Disadvantages:
>> 1. Slightly slower than compiling messages out of the binaries (but
>> really not by much).
>> 2. Debug messages may be too many for comfort.
>>
>>> (ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>> I should probably have asked this before, but what does "(ID1)" stand for?
>>
>> On Tue, Mar 31, 2020 at 1:42 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>> I know the DEBUG option. but,
>>>
>>> "Debug messages are normally compiled out of Jool’s binaries because
>>> they are lots and can slow things down. If you are testing or
>>> troubleshooting however, they can be of help."
>>>
>>> No one ever wants to print debug messages on the production
>>> system(embedded).
>>>
>>> But you're right, it means two versions of same thing.
>>> I'm not sure, Perhaps the debug option may be merge with trace.
>>>
>>> An other option.
>>> Option "b"+"c" looks good in this case.
>>> For "b" with matched rules(bib,eamt,blacklist) info in 2 lines or one line.
>>>
>>> b option with trace level 2
>>>
>>> two lines
>>>
>>> (ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>>> (ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
>>>
>>> (ID1)> Translated(c):
>>>
>>> one line
>>>
>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
>>> SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
>>> CODE:0 ID:16384 Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>>> (ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
>>>
>>>
>>>
>>> Fatih USTA
>>>
>>> On 30.03.2020 18:33, Alberto Leiva wrote:
>>>> Ok, but
>>>>
>>>> Are you aware of debug logging?
>>>> https://jool.mx/en/logging.html
>>>>
>>>> If trace is meant to happen more than once, then isn't it becoming a
>>>> redundant version of -DDEBUG? (I'd rather not have to maintain two
>>>> versions of the same thing...)
>>>>
>>>> Here is everything -DDEBUG prints me during a successful ping translation:
>>>>
>>>> Jool: ===============================================
>>>> Jool: Jool instance 'default': Received a v6 packet.
>>>> Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
>>>> Jool: Step 1: Determining the Incoming Tuple
>>>> Jool: Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
>>>> Jool: Done step 1.
>>>> Jool: Step 2: Filtering and Updating
>>>> Jool: BIB entry: 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP)
>>>> Jool: Session entry: 2001:db8::5#25567 - 64:ff9b::c000:205#25567 |
>>>> 192.0.2.2#2949 - 192.0.2.5#2949 (ICMP)
>>>> Jool: Done: Step 2.
>>>> Jool: Step 3: Computing the Outgoing Tuple
>>>> Jool: Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
>>>> Jool: Done step 3.
>>>> Jool: Step 4: Translating the Packet
>>>> Jool: Done step 4.
>>>> Jool: Packet routed via device 'to_world_v4'.
>>>> Jool: Sending skb.
>>>> Jool: Success.
>>>>
>>>> Admittedly, it's not printing the instance namespace, the instance
>>>> type (SIIT vs NAT64), the ICMP type nor the ICMP code. But that could
>>>> be added.
>>>>
>>>> Do you reckon trace still needs to exist?
>>>>
>>>> On Sun, Mar 29, 2020 at 11:51 PM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>> Hi
>>>>>
>>>>> If we should chose one of them, I chose option c. But I will chose all
>>>>> of them, if it possible.
>>>>> Because; We are using trace for debug. So we may need trace every
>>>>> process(possible) in the jool.
>>>>>
>>>>> 1(ID1)>Received(a)
>>>>> 2(ID1)>Processing(b) - matched instance and rules
>>>>> 3(ID1)>Translated/NonTranslated(c)
>>>>> 4(ID1)>Send(d)
>>>>>
>>>>> Maybe this will be a trace level option.
>>>>>
>>>>>
>>>>> Fatih USTA
>>>>>
>>>>> On 28.03.2020 01:23, Alberto Leiva wrote:
>>>>>> Question:
>>>>>>
>>>>>> When is the ideal point in time in which should Jool print the trace?
>>>>>>
>>>>>> a) As soon as it receives a packet
>>>>>> b) Somewhere in the middle of a translation (when?)
>>>>>> c) After having translated successfully, right before sending the packet
>>>>>> d) After sending the packet
>>>>>>
>>>>>> The trace is currently being printed during a).
>>>>>> I think the answer depends on whether the trace is intended to show
>>>>>> all packets, or only the packets that will end up translated
>>>>>> successfully.
>>>>>>
>>>>>> On Mon, Jan 6, 2020 at 9:13 AM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>> But TCP and UDP do not have ICMP identifiers. They have ports, which
>>>>>>> are being printed after the hash symbol of each corresponding IP
>>>>>>> address.
>>>>>>>
>>>>>>> eg.
>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>
>>>>>>> source address: 10.200.200.220
>>>>>>> destination address: 10.100.100.11
>>>>>>> TCP source port: 80
>>>>>>> TCP destination port: 47230
>>>>>>>
>>>>>>> On Mon, Jan 6, 2020 at 12:35 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>> I mean, ID only showing icmp packets. Is it possible for tcp or udp?
>>>>>>>>
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.480540] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
>>>>>>>> SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
>>>>>>>> CODE:0 ID:16384
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506080] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506413] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506657] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506759] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.507000] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508352] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508440] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508720] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508825] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508903] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.509130] Jool:
>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>>
>>>>>>>>
>>>>>>>> Fatih USTA
>>>>>>>>
>>>>>>>> On 1.01.2020 00:36, Alberto Leiva wrote:
>>>>>>>>> Sorry, I don't understand you. What do you mean "tcp4/6, udp4/6"?
>>>>>>>>>
>>>>>>>>> On Mon, Dec 30, 2019 at 12:43 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> It looks good.
>>>>>>>>>> TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT=
>>>>>>>>>> MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
>>>>>>>>>> DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=48678 DF
>>>>>>>>>> PROTO=ICMP TYPE=8 CODE=0 ID=2985 SEQ=1
>>>>>>>>>> Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/ICMP
>>>>>>>>>> SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0 ID:2985
>>>>>>>>>> ......
>>>>>>>>>> Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
>>>>>>>>>> SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0 ID:2985
>>>>>>>>>> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11
>>>>>>>>>> DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21649 PROTO=ICMP
>>>>>>>>>> TYPE=0 CODE=0 ID=2985 SEQ=1
>>>>>>>>>>
>>>>>>>>>> I think that's enough but What do you think about the tcp4/6, udp4/6?
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>> Fatih USTA
>>>>>>>>>>
>>>>>>>>>> On 30.12.2019 06:47, Alberto Leiva wrote:
>>>>>>>>>>> Hello
>>>>>>>>>>>
>>>>>>>>>>> Sorry I can't answer immediately.
>>>>>>>>>>> I just uploaded a commit adding instance stateness and namespace, as
>>>>>>>>>>> well as the ICMP ID for ICMP traces.
>>>>>>>>>>>
>>>>>>>>>>> How does it look?
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Dec 24, 2019 at 12:52 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>> You're right, I can write the iptables trace rule. It's just an idea for a better trace in jool. If I have 1Gbit traffic when I enable trace, many logs will come. Actually not important.
>>>>>>>>>>>>
>>>>>>>>>>>> Last thing, it would be nice to have ID into log for package relation like iptables.
>>>>>>>>>>>>
>>>>>>>>>>>> TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP TYPE=8 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>> TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT= MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP TYPE=8 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>> TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP TYPE=8 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>
>>>>>>>>>>>> Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
>>>>>>>>>>>>
>>>>>>>>>>>> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 SRC=2001:0db8:000a:0000:0000:0000:0ac8:c8dc DST=2001:0db8:000a:0000:0000:0000:0a64:640b LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>> TRACE: raw:PREROUTING:policy:2 IN=eth2 OUT= MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd SRC=2001:0db8:000a:0000:0000:0000:0a64:640b DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>> TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT= MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd SRC=2001:0db8:000a:0000:0000:0000:0a64:640b DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>
>>>>>>>>>>>> Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
>>>>>>>>>>>>
>>>>>>>>>>>> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11 DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52293 PROTO=ICMP TYPE=0 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Fatih USTA
>>>>>>>>>>>>
>>>>>>>>>>>> On 24.12.2019 07:28, Alberto Leiva wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Adding filters complicates it a lot. I have a question: What's
>>>>>>>>>>>> stopping you from adding a TRACE target right before the Jool target?
>>>>>>>>>>>>
>>>>>>>>>>>> for example
>>>>>>>>>>>>
>>>>>>>>>>>> iptables -t raw -A PREROUTING <filters> -j TRACE
>>>>>>>>>>>> iptables -t raw -A PREROUTING <filters> -j JOOL (Jool arguments)
>>>>>>>>>>>>
>>>>>>>>>>>> That would trace all packets right before they reach Jool.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Dec 23, 2019 at 1:01 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Alberto
>>>>>>>>>>>>
>>>>>>>>>>>> I tested. Works well, but we need more information in log for better trace.
>>>>>>>>>>>> Because jool siit and jool have same instance name. For example Default.
>>>>>>>>>>>> I can't see which one instance matched.
>>>>>>>>>>>>
>>>>>>>>>>>> Dec 23 09:35:40 2019 kernel: : [263288.781040] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
>>>>>>>>>>>> Dec 23 09:35:40 2019 kernel: : [263288.781401] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
>>>>>>>>>>>> Dec 23 09:35:41 2019 kernel: : [263289.573935] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>> Dec 23 09:35:41 2019 kernel: : [263289.805122] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
>>>>>>>>>>>> Dec 23 09:35:41 2019 kernel: : [263289.805456] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
>>>>>>>>>>>> Dec 23 09:35:42 2019 kernel: : [263290.574131] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>> Dec 23 09:35:43 2019 kernel: : [263291.574381] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>> Dec 23 09:35:43 2019 kernel: : [263291.777504] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136 CODE:0
>>>>>>>>>>>> Dec 23 09:35:43 2019 kernel: : [263291.885362] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
>>>>>>>>>>>> Dec 23 09:35:44 2019 kernel: : [263292.574572] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>> Dec 23 09:35:45 2019 kernel: : [263293.574838] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>>
>>>>>>>>>>>> # Stateful instances
>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>> | Namespace | Name | Framework |
>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>> | ffffffff80e868c0 | default | netfilter |
>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>
>>>>>>>>>>>> # Stateles instances
>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>> | Namespace | Name | Framework |
>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>> | ffffffff80e868c0 | default | netfilter |
>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>
>>>>>>>>>>>> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
>>>>>>>>>>>> JOOL:nat64 NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
>>>>>>>>>>>>
>>>>>>>>>>>> More information if is possible.
>>>>>>>>>>>>
>>>>>>>>>>>> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 action=nat46 nataddr=2001:db8::a mtu=1400 tos=3 eamt=no blacklist=no bib=no .... other matched options
>>>>>>>>>>>>
>>>>>>>>>>>> Maybe filter option can be add.
>>>>>>>>>>>>
>>>>>>>>>>>> jool global update trace-filter [FILTER OPTIONS]
>>>>>>>>>>>> --src IPv4,IPv6
>>>>>>>>>>>> --dst IPv4,IPv6
>>>>>>>>>>>> --sport
>>>>>>>>>>>> --dport
>>>>>>>>>>>> --tcp
>>>>>>>>>>>> --udp
>>>>>>>>>>>> --icmp
>>>>>>>>>>>> --alg ftp|sip #future
>>>>>>>>>>>>
>>>>>>>>>>>> thank you for your effort.
>>>>>>>>>>>>
>>>>>>>>>>>> Fatih USTA
>>>>>>>>>>>>
>>>>>>>>>>>> On 21.12.2019 02:31, Alberto Leiva wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> First draft:
>>>>>>>>>>>> https://nicmx.github.io/Jool/en/usr-flags-global.html#trace
>>>>>>>>>>>>
>>>>>>>>>>>> the flag can be found in the latest commit in the master branch:
>>>>>>>>>>>> https://github.com/NICMx/Jool
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Dec 20, 2019 at 1:01 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Please note that you might need to update that page in case your
>>>>>>>>>>>> browser cached it, because I just updated it.
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Dec 20, 2019 at 1:00 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Currently, there is no tracing configuration flag. If you want, I can add it.
>>>>>>>>>>>>
>>>>>>>>>>>> For now, the closest thing is enabling debugging:
>>>>>>>>>>>> https://nicmx.github.io/Jool/en/logging.html
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Dec 20, 2019 at 12:12 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> I rebooted my system and it worked. But I don't understand why?
>>>>>>>>>>>> One more question. How can I trace traffic inside jool like "iptables
>>>>>>>>>>>> TRACE" for debugging.
>>>>>>>>>>>>
>>>>>>>>>>>> BTW:
>>>>>>>>>>>> jool netfilter/iptables worked without reboot.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> Fatih USTA
>>>>>>>>>>>>
>>>>>>>>>>>> On 19.12.2019 19:11, Alberto Leiva wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Did you try printing stats?
>>>>>>>>>>>> https://jool.mx/en/usr-flags-stats.html
>>>>>>>>>>>>
>>>>>>>>>>>> If Jool is the one dropping the packets, they should tell you why.
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Dec 19, 2019 at 9:46 AM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> I hate to be asking this question but, did you try rebooting and doing
>>>>>>>>>>>> a clean run?
>>>>>>>>>>>>
>>>>>>>>>>>> Because it works fine for me, even in my 32/64-bit hybrid...
>>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Dec 19, 2019 at 4:54 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi
>>>>>>>>>>>>
>>>>>>>>>>>> I'm following this(https://www.jool.mx/en/run-vanilla.html) guide.
>>>>>>>>>>>> IPTables mode working, but netfilter mode doesn't work. What am I
>>>>>>>>>>>> missing? or is this a bug?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> jool_siit -V
>>>>>>>>>>>> 4.0.6.2 i386
>>>>>>>>>>>>
>>>>>>>>>>>> ip{6}tables -V
>>>>>>>>>>>> v1.6.0 i386
>>>>>>>>>>>>
>>>>>>>>>>>> uname -rm
>>>>>>>>>>>> 3.16.76-4.custom x86_64
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> PC1[eth0] <=>[eth1]Tranlator[eth2]<=>[eth0]PC2
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> #PC1
>>>>>>>>>>>> ip addr add 10.200.200.220/23 dev eth0
>>>>>>>>>>>> ip route add 10.100.100.0/24 via 10.200.200.16
>>>>>>>>>>>>
>>>>>>>>>>>> #Translator
>>>>>>>>>>>> ip addr add 10.200.200.16/23 dev eth1
>>>>>>>>>>>> ip addr add 2001:db8:a::10.100.100.2/120 dev eth2
>>>>>>>>>>>>
>>>>>>>>>>>> sysctl -w net.ipv4.conf.all.forwarding=1
>>>>>>>>>>>> sysctl -w net.ipv6.conf.all.forwarding=1
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ethtool --offload eth1 gro off
>>>>>>>>>>>> ethtool --offload eth2 gro off
>>>>>>>>>>>>
>>>>>>>>>>>> lro already fixed off by kernel.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> jool_siit instance add default --netfilter --pool6 2001:db8:a::/96
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> #PC2
>>>>>>>>>>>> ip add add 2001:db8:a::10.100.100.11/120 dev eth0
>>>>>>>>>>>> ip route add 2001:db8:a::10.200.200.0/119 via 2001:db8:a::10.100.100.2
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> #Result of netfilter (on Translator)
>>>>>>>>>>>>
>>>>>>>>>>>> PC1>PC2
>>>>>>>>>>>> 12:44:12.234494 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
>>>>>>>>>>>> 9806, seq 1, length 64
>>>>>>>>>>>> 12:44:12.234647 IP 10.200.200.16 > 10.200.200.220: ICMP net
>>>>>>>>>>>> 10.100.100.11 unreachable, length 92
>>>>>>>>>>>> 12:44:13.255748 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
>>>>>>>>>>>> 9806, seq 2, length 64
>>>>>>>>>>>> 12:44:13.255825 IP 10.200.200.16 > 10.200.200.220: ICMP net
>>>>>>>>>>>> 10.100.100.11 unreachable, length 92
>>>>>>>>>>>> 12:44:14.279628 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
>>>>>>>>>>>> 9806, seq 3, length 64
>>>>>>>>>>>> 12:44:14.279704 IP 10.200.200.16 > 10.200.200.220: ICMP net
>>>>>>>>>>>> 10.100.100.11 unreachable, length 92
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- Fatih USTA
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Jool-list mailing list
>>>>>>>>>>>> Jool-list at nic.mx
>>>>>>>>>>>> https://mail-lists.nic.mx/listas/listinfo/jool-list
More information about the Jool-list
mailing list