[Jool-list] netfilter mode question or bug
Fatih USTA
fatihusta86 at gmail.com
Fri Jul 17 02:39:22 CDT 2020
Hi,
Fatih USTA
On 16.07.2020 18:48, Alberto Leiva wrote:
> Hey, guys.
>
> I've spent some days upgrading debug into a runtime toggle, and I'm
> reviving this thread to announce that, because I see trace and debug
> as essentially the same feature, I intend to merge all the trace
> information into debug in Jool 4.1.2. (In other words, trace is no
> longer going to exist.)
I think there is no problem here. I agree with you.
>
> sudo jool global update debug true
>
> Sample IPv4 packet translation (SIIT):
>
> Jool SIIT/3c6ea680/default: ===============================================
> Jool SIIT/3c6ea680/default: Packet: 198.51.100.2->192.0.2.33
> Jool SIIT/3c6ea680/default: UDP 2000->4000
> Jool SIIT/3c6ea680/default: Translating the Packet.
> Jool SIIT/3c6ea680/default: Result:
> 2001:db8:1c6:3364:2::->2001:db8:1c0:2:21::
> Jool SIIT/3c6ea680/default: Routing:
> 2001:db8:1c6:3364:2::->2001:db8:1c0:2:21::
> Jool SIIT/3c6ea680/default: Packet routed via device 'to_client_v6'.
> Jool SIIT/3c6ea680/default: Sending skb.
> Jool SIIT/3c6ea680/default: Success.
>
> Sample IPv6 packet translation (Stateful NAT64):
>
> Jool NAT64/3c6ea680/default: ===============================================
> Jool NAT64/3c6ea680/default: Packet: 2001:db8::5->64:ff9b::c000:205
> Jool NAT64/3c6ea680/default: TCP 2000->4000
> Jool NAT64/3c6ea680/default: Step 1: Determining the Incoming Tuple
> Jool NAT64/3c6ea680/default: Tuple: 2001:db8::5#2000 ->
> 64:ff9b::c000:205#4000 (TCP)
> Jool NAT64/3c6ea680/default: Done step 1.
> Jool NAT64/3c6ea680/default: Step 2: Filtering and Updating
> Jool NAT64/3c6ea680/default: BIB entry: 2001:db8::5#2000 -
> 192.0.2.2#2000 (TCP)
> Jool NAT64/3c6ea680/default: Session entry: 2001:db8::5#2000 -
> 64:ff9b::c000:205#4000 | 192.0.2.2#2000 - 192.0.2.5#4000 (TCP)
> Jool NAT64/3c6ea680/default: Done: Step 2.
> Jool NAT64/3c6ea680/default: Step 3: Computing the Outgoing Tuple
> Jool NAT64/3c6ea680/default: Tuple: 192.0.2.2#2000 -> 192.0.2.5#4000 (TCP)
> Jool NAT64/3c6ea680/default: Done step 3.
> Jool NAT64/3c6ea680/default: Step 4: Translating the Packet
> Jool NAT64/3c6ea680/default: Routing: 192.0.2.2->192.0.2.5
> Jool NAT64/3c6ea680/default: Packet routed via device 'to_client_v4'.
> Jool NAT64/3c6ea680/default: Done step 4.
> Jool NAT64/3c6ea680/default: Sending skb.
> Jool NAT64/3c6ea680/default: Success.
>
> If you have any issues with this, you have probably about a week to voice them.
Output looks good.
Thank you for your effort.
> Alberto
>
> On Wed, Apr 1, 2020 at 1:12 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>> Thank you for information and efforts.
>>
>> Fatih USTA
>>
>> On 31.03.2020 20:39, Alberto Leiva wrote:
>>> By the way:
>>>
>>> I'm about to release the next official version of Jool. Since the
>>> current implementation of trace was found to be less than ideal
>>> (because it prints during (a) and we're still evaluating ideas), I've
>>> decided to leave it out of the release. Don't worry; all this means is
>>> that the flag will not be documented in the website. For what it's
>>> worth, the trace code is still available and usable. But it's also
>>> bound to be changed in the next release.
>>>
>>> On Tue, Mar 31, 2020 at 11:19 AM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>> No one ever wants to print debug messages on the production
>>>>> system(embedded).
>>>> Some alarms are going off in my head.
>>>> Are you implying that you're enabling trace in a production system?
>>>> Do you do this temporarily? Or is it permanent?
>>>>
>>>> If you do it permanently, then are you sure BIB logging isn't enough?
>>>> It is all you need if you want to track the source of a request.
>>>> https://jool.mx/en/usr-flags-global.html#logging-bib
>>>>
>>>>> two lines
>>>>>
>>>>> (ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>>>>> (ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
>>>> Here's another observation: If a packet translation fails, then trace
>>>> will not tell you why. Only debug will. So trace is not the best tool
>>>> for debugging.
>>>>
>>>> Here's an example of a failed translation, reported by debug:
>>>>
>>>> Jool: ===============================================
>>>> Jool: Jool instance 'default': Received a v6 packet.
>>>> Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
>>>> Jool: Step 1: Determining the Incoming Tuple
>>>> Jool: Tuple: 2001:db8::5#2000 -> 64:ff9b::c000:205#4000 (UDP)
>>>> Jool: Done step 1.
>>>> Jool: Step 2: Filtering and Updating
>>>> Jool: BIB entry: 2001:db8::5#2000 - 192.0.2.2#2000 (UDP)
>>>> Jool: Session entry: 2001:db8::5#2000 - 64:ff9b::c000:205#4000 |
>>>> 192.0.2.2#2000 - 192.0.2.5#4000 (UDP)
>>>> Jool: Done: Step 2.
>>>> Jool: Step 3: Computing the Outgoing Tuple
>>>> Jool: Tuple: 192.0.2.2#2000 -> 192.0.2.5#4000 (UDP)
>>>> Jool: Done step 3.
>>>> Jool: Step 4: Translating the Packet
>>>> Jool: Done step 4.
>>>> Jool: Packet routed via device 'to_world_v4'.
>>>> Jool: Sending skb.
>>>> Jool: Packet is too big (len: 1261, mtu: 1000).
>>>> Jool: Sending ICMPv6 error: ICMPERR_FRAG_NEEDED, type: 2, code: 0,
>>>> rest: 1280
>>>> Jool: Dropping packet.
>>>>
>>>>> I'm not sure, Perhaps the debug option may be merge with trace.
>>>> This might be the best option if tracing something in all the steps
>>>> (a, b, c and d) is optimal.
>>>>
>>>> Proposal: Upgrade the most important debug messages so they'll also
>>>> appear when trace is enabled.
>>>>
>>>> Eg. if this is debug logging:
>>>>
>>>> Jool: ===============================================
>>>> Jool: Jool instance 'abcd/default/nat64': Received a v6 packet.
>>>> Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
>>>> Jool: Step 1: Determining the Incoming Tuple
>>>> Jool: In Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
>>>> Jool: Done step 1.
>>>> Jool: Step 2: Filtering and Updating
>>>> Jool: BIB entry: 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP)
>>>> Jool: Session entry: 2001:db8::5#25567 - 64:ff9b::c000:205#25567 |
>>>> 192.0.2.2#2949 - 192.0.2.5#2949 (ICMP)
>>>> Jool: Done: Step 2.
>>>> Jool: Step 3: Computing the Outgoing Tuple
>>>> Jool: Out Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
>>>> Jool: Done step 3.
>>>> Jool: Step 4: Translating the Packet
>>>> Jool: Done step 4.
>>>> Jool: Packet routed via device 'to_world_v4'.
>>>> Jool: Sending skb.
>>>> Jool: Sent.
>>>>
>>>> Then make it so the following is printed by trace:
>>>>
>>>> Jool: Jool instance 'abcd/default/nat64': Received a v6 packet.
>>>> Jool: In Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
>>>> Jool: Out Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
>>>> Jool: Sent.
>>>>
>>>> That's one message for every step. And if the user want to see the BIB
>>>> as well, they can enable bib-logging as well.
>>>>
>>>> Advantages:
>>>> 1. Generates less code clutter than specialized messages.
>>>> 2. Prints something in every relevant step.
>>>>
>>>> Disadvantages:
>>>> 1. Does not print error messages.
>>>>
>>>> Another possible solution: Upgrade debug messages to a global
>>>> configuration value.
>>>> That is, never remove debug messages from a binary, but only print
>>>> them if the user ran `jool global update debug true`.
>>>>
>>>> Advantages:
>>>> 1. Minimal code clutter.
>>>> 2. Most user friendly; you don't need to recompile the whole thing if
>>>> you want to improvise some debugging.
>>>> 3. You can see error messages.
>>>>
>>>> Disadvantages:
>>>> 1. Slightly slower than compiling messages out of the binaries (but
>>>> really not by much).
>>>> 2. Debug messages may be too many for comfort.
>>>>
>>>>> (ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>>>> I should probably have asked this before, but what does "(ID1)" stand for?
>>>>
>>>> On Tue, Mar 31, 2020 at 1:42 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>> I know the DEBUG option. but,
>>>>>
>>>>> "Debug messages are normally compiled out of Jool’s binaries because
>>>>> they are lots and can slow things down. If you are testing or
>>>>> troubleshooting however, they can be of help."
>>>>>
>>>>> No one ever wants to print debug messages on the production
>>>>> system(embedded).
>>>>>
>>>>> But you're right, it means two versions of same thing.
>>>>> I'm not sure, Perhaps the debug option may be merge with trace.
>>>>>
>>>>> An other option.
>>>>> Option "b"+"c" looks good in this case.
>>>>> For "b" with matched rules(bib,eamt,blacklist) info in 2 lines or one line.
>>>>>
>>>>> b option with trace level 2
>>>>>
>>>>> two lines
>>>>>
>>>>> (ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>>>>> (ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
>>>>>
>>>>> (ID1)> Translated(c):
>>>>>
>>>>> one line
>>>>>
>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
>>>>> SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
>>>>> CODE:0 ID:16384 Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
>>>>> (ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
>>>>>
>>>>>
>>>>>
>>>>> Fatih USTA
>>>>>
>>>>> On 30.03.2020 18:33, Alberto Leiva wrote:
>>>>>> Ok, but
>>>>>>
>>>>>> Are you aware of debug logging?
>>>>>> https://jool.mx/en/logging.html
>>>>>>
>>>>>> If trace is meant to happen more than once, then isn't it becoming a
>>>>>> redundant version of -DDEBUG? (I'd rather not have to maintain two
>>>>>> versions of the same thing...)
>>>>>>
>>>>>> Here is everything -DDEBUG prints me during a successful ping translation:
>>>>>>
>>>>>> Jool: ===============================================
>>>>>> Jool: Jool instance 'default': Received a v6 packet.
>>>>>> Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
>>>>>> Jool: Step 1: Determining the Incoming Tuple
>>>>>> Jool: Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
>>>>>> Jool: Done step 1.
>>>>>> Jool: Step 2: Filtering and Updating
>>>>>> Jool: BIB entry: 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP)
>>>>>> Jool: Session entry: 2001:db8::5#25567 - 64:ff9b::c000:205#25567 |
>>>>>> 192.0.2.2#2949 - 192.0.2.5#2949 (ICMP)
>>>>>> Jool: Done: Step 2.
>>>>>> Jool: Step 3: Computing the Outgoing Tuple
>>>>>> Jool: Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
>>>>>> Jool: Done step 3.
>>>>>> Jool: Step 4: Translating the Packet
>>>>>> Jool: Done step 4.
>>>>>> Jool: Packet routed via device 'to_world_v4'.
>>>>>> Jool: Sending skb.
>>>>>> Jool: Success.
>>>>>>
>>>>>> Admittedly, it's not printing the instance namespace, the instance
>>>>>> type (SIIT vs NAT64), the ICMP type nor the ICMP code. But that could
>>>>>> be added.
>>>>>>
>>>>>> Do you reckon trace still needs to exist?
>>>>>>
>>>>>> On Sun, Mar 29, 2020 at 11:51 PM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> If we should chose one of them, I chose option c. But I will chose all
>>>>>>> of them, if it possible.
>>>>>>> Because; We are using trace for debug. So we may need trace every
>>>>>>> process(possible) in the jool.
>>>>>>>
>>>>>>> 1(ID1)>Received(a)
>>>>>>> 2(ID1)>Processing(b) - matched instance and rules
>>>>>>> 3(ID1)>Translated/NonTranslated(c)
>>>>>>> 4(ID1)>Send(d)
>>>>>>>
>>>>>>> Maybe this will be a trace level option.
>>>>>>>
>>>>>>>
>>>>>>> Fatih USTA
>>>>>>>
>>>>>>> On 28.03.2020 01:23, Alberto Leiva wrote:
>>>>>>>> Question:
>>>>>>>>
>>>>>>>> When is the ideal point in time in which should Jool print the trace?
>>>>>>>>
>>>>>>>> a) As soon as it receives a packet
>>>>>>>> b) Somewhere in the middle of a translation (when?)
>>>>>>>> c) After having translated successfully, right before sending the packet
>>>>>>>> d) After sending the packet
>>>>>>>>
>>>>>>>> The trace is currently being printed during a).
>>>>>>>> I think the answer depends on whether the trace is intended to show
>>>>>>>> all packets, or only the packets that will end up translated
>>>>>>>> successfully.
>>>>>>>>
>>>>>>>> On Mon, Jan 6, 2020 at 9:13 AM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>>>> But TCP and UDP do not have ICMP identifiers. They have ports, which
>>>>>>>>> are being printed after the hash symbol of each corresponding IP
>>>>>>>>> address.
>>>>>>>>>
>>>>>>>>> eg.
>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>>>
>>>>>>>>> source address: 10.200.200.220
>>>>>>>>> destination address: 10.100.100.11
>>>>>>>>> TCP source port: 80
>>>>>>>>> TCP destination port: 47230
>>>>>>>>>
>>>>>>>>> On Mon, Jan 6, 2020 at 12:35 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>> I mean, ID only showing icmp packets. Is it possible for tcp or udp?
>>>>>>>>>>
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.480540] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
>>>>>>>>>> SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
>>>>>>>>>> CODE:0 ID:16384
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506080] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506413] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506657] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.506759] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.507000] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508352] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508440] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508720] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508825] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.508903] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
>>>>>>>>>> SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
>>>>>>>>>> Jan 6 09:31:48 2020 kernel: : [1472656.509130] Jool:
>>>>>>>>>> INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
>>>>>>>>>> SRC:10.200.200.220#80 DST:10.100.100.11#47230
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Fatih USTA
>>>>>>>>>>
>>>>>>>>>> On 1.01.2020 00:36, Alberto Leiva wrote:
>>>>>>>>>>> Sorry, I don't understand you. What do you mean "tcp4/6, udp4/6"?
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Dec 30, 2019 at 12:43 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>> Hi
>>>>>>>>>>>>
>>>>>>>>>>>> It looks good.
>>>>>>>>>>>> TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT=
>>>>>>>>>>>> MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
>>>>>>>>>>>> DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=48678 DF
>>>>>>>>>>>> PROTO=ICMP TYPE=8 CODE=0 ID=2985 SEQ=1
>>>>>>>>>>>> Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/ICMP
>>>>>>>>>>>> SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0 ID:2985
>>>>>>>>>>>> ......
>>>>>>>>>>>> Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
>>>>>>>>>>>> SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0 ID:2985
>>>>>>>>>>>> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11
>>>>>>>>>>>> DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21649 PROTO=ICMP
>>>>>>>>>>>> TYPE=0 CODE=0 ID=2985 SEQ=1
>>>>>>>>>>>>
>>>>>>>>>>>> I think that's enough but What do you think about the tcp4/6, udp4/6?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> Fatih USTA
>>>>>>>>>>>>
>>>>>>>>>>>> On 30.12.2019 06:47, Alberto Leiva wrote:
>>>>>>>>>>>>> Hello
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry I can't answer immediately.
>>>>>>>>>>>>> I just uploaded a commit adding instance stateness and namespace, as
>>>>>>>>>>>>> well as the ICMP ID for ICMP traces.
>>>>>>>>>>>>>
>>>>>>>>>>>>> How does it look?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Dec 24, 2019 at 12:52 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>>>> You're right, I can write the iptables trace rule. It's just an idea for a better trace in jool. If I have 1Gbit traffic when I enable trace, many logs will come. Actually not important.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Last thing, it would be nice to have ID into log for package relation like iptables.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP TYPE=8 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>>> TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT= MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP TYPE=8 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>>> TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP TYPE=8 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 SRC=2001:0db8:000a:0000:0000:0000:0ac8:c8dc DST=2001:0db8:000a:0000:0000:0000:0a64:640b LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>>> TRACE: raw:PREROUTING:policy:2 IN=eth2 OUT= MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd SRC=2001:0db8:000a:0000:0000:0000:0a64:640b DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>>> TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT= MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd SRC=2001:0db8:000a:0000:0000:0000:0a64:640b DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11 DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52293 PROTO=ICMP TYPE=0 CODE=0 ID=13069 SEQ=1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fatih USTA
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 24.12.2019 07:28, Alberto Leiva wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Adding filters complicates it a lot. I have a question: What's
>>>>>>>>>>>>>> stopping you from adding a TRACE target right before the Jool target?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> for example
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> iptables -t raw -A PREROUTING <filters> -j TRACE
>>>>>>>>>>>>>> iptables -t raw -A PREROUTING <filters> -j JOOL (Jool arguments)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> That would trace all packets right before they reach Jool.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Dec 23, 2019 at 1:01 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Alberto
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I tested. Works well, but we need more information in log for better trace.
>>>>>>>>>>>>>> Because jool siit and jool have same instance name. For example Default.
>>>>>>>>>>>>>> I can't see which one instance matched.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Dec 23 09:35:40 2019 kernel: : [263288.781040] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
>>>>>>>>>>>>>> Dec 23 09:35:40 2019 kernel: : [263288.781401] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
>>>>>>>>>>>>>> Dec 23 09:35:41 2019 kernel: : [263289.573935] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>>>> Dec 23 09:35:41 2019 kernel: : [263289.805122] Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
>>>>>>>>>>>>>> Dec 23 09:35:41 2019 kernel: : [263289.805456] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
>>>>>>>>>>>>>> Dec 23 09:35:42 2019 kernel: : [263290.574131] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>>>> Dec 23 09:35:43 2019 kernel: : [263291.574381] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>>>> Dec 23 09:35:43 2019 kernel: : [263291.777504] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136 CODE:0
>>>>>>>>>>>>>> Dec 23 09:35:43 2019 kernel: : [263291.885362] Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
>>>>>>>>>>>>>> Dec 23 09:35:44 2019 kernel: : [263292.574572] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>>>> Dec 23 09:35:45 2019 kernel: : [263293.574838] Jool: INSTANCE:default PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # Stateful instances
>>>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>>> | Namespace | Name | Framework |
>>>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>>> | ffffffff80e868c0 | default | netfilter |
>>>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # Stateles instances
>>>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>>> | Namespace | Name | Framework |
>>>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>>> | ffffffff80e868c0 | default | netfilter |
>>>>>>>>>>>>>> +--------------------+-----------------+-----------+
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
>>>>>>>>>>>>>> JOOL:nat64 NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> More information if is possible.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 action=nat46 nataddr=2001:db8::a mtu=1400 tos=3 eamt=no blacklist=no bib=no .... other matched options
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Maybe filter option can be add.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> jool global update trace-filter [FILTER OPTIONS]
>>>>>>>>>>>>>> --src IPv4,IPv6
>>>>>>>>>>>>>> --dst IPv4,IPv6
>>>>>>>>>>>>>> --sport
>>>>>>>>>>>>>> --dport
>>>>>>>>>>>>>> --tcp
>>>>>>>>>>>>>> --udp
>>>>>>>>>>>>>> --icmp
>>>>>>>>>>>>>> --alg ftp|sip #future
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> thank you for your effort.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fatih USTA
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 21.12.2019 02:31, Alberto Leiva wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> First draft:
>>>>>>>>>>>>>> https://nicmx.github.io/Jool/en/usr-flags-global.html#trace
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> the flag can be found in the latest commit in the master branch:
>>>>>>>>>>>>>> https://github.com/NICMx/Jool
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Dec 20, 2019 at 1:01 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please note that you might need to update that page in case your
>>>>>>>>>>>>>> browser cached it, because I just updated it.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Dec 20, 2019 at 1:00 PM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Currently, there is no tracing configuration flag. If you want, I can add it.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> For now, the closest thing is enabling debugging:
>>>>>>>>>>>>>> https://nicmx.github.io/Jool/en/logging.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Fri, Dec 20, 2019 at 12:12 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I rebooted my system and it worked. But I don't understand why?
>>>>>>>>>>>>>> One more question. How can I trace traffic inside jool like "iptables
>>>>>>>>>>>>>> TRACE" for debugging.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> BTW:
>>>>>>>>>>>>>> jool netfilter/iptables worked without reboot.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fatih USTA
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 19.12.2019 19:11, Alberto Leiva wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Did you try printing stats?
>>>>>>>>>>>>>> https://jool.mx/en/usr-flags-stats.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If Jool is the one dropping the packets, they should tell you why.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Thu, Dec 19, 2019 at 9:46 AM Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I hate to be asking this question but, did you try rebooting and doing
>>>>>>>>>>>>>> a clean run?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Because it works fine for me, even in my 32/64-bit hybrid...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Thu, Dec 19, 2019 at 4:54 AM Fatih USTA <fatihusta86 at gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm following this(https://www.jool.mx/en/run-vanilla.html) guide.
>>>>>>>>>>>>>> IPTables mode working, but netfilter mode doesn't work. What am I
>>>>>>>>>>>>>> missing? or is this a bug?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> jool_siit -V
>>>>>>>>>>>>>> 4.0.6.2 i386
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ip{6}tables -V
>>>>>>>>>>>>>> v1.6.0 i386
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> uname -rm
>>>>>>>>>>>>>> 3.16.76-4.custom x86_64
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PC1[eth0] <=>[eth1]Tranlator[eth2]<=>[eth0]PC2
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #PC1
>>>>>>>>>>>>>> ip addr add 10.200.200.220/23 dev eth0
>>>>>>>>>>>>>> ip route add 10.100.100.0/24 via 10.200.200.16
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #Translator
>>>>>>>>>>>>>> ip addr add 10.200.200.16/23 dev eth1
>>>>>>>>>>>>>> ip addr add 2001:db8:a::10.100.100.2/120 dev eth2
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> sysctl -w net.ipv4.conf.all.forwarding=1
>>>>>>>>>>>>>> sysctl -w net.ipv6.conf.all.forwarding=1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ethtool --offload eth1 gro off
>>>>>>>>>>>>>> ethtool --offload eth2 gro off
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> lro already fixed off by kernel.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> jool_siit instance add default --netfilter --pool6 2001:db8:a::/96
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #PC2
>>>>>>>>>>>>>> ip add add 2001:db8:a::10.100.100.11/120 dev eth0
>>>>>>>>>>>>>> ip route add 2001:db8:a::10.200.200.0/119 via 2001:db8:a::10.100.100.2
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> #Result of netfilter (on Translator)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PC1>PC2
>>>>>>>>>>>>>> 12:44:12.234494 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
>>>>>>>>>>>>>> 9806, seq 1, length 64
>>>>>>>>>>>>>> 12:44:12.234647 IP 10.200.200.16 > 10.200.200.220: ICMP net
>>>>>>>>>>>>>> 10.100.100.11 unreachable, length 92
>>>>>>>>>>>>>> 12:44:13.255748 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
>>>>>>>>>>>>>> 9806, seq 2, length 64
>>>>>>>>>>>>>> 12:44:13.255825 IP 10.200.200.16 > 10.200.200.220: ICMP net
>>>>>>>>>>>>>> 10.100.100.11 unreachable, length 92
>>>>>>>>>>>>>> 12:44:14.279628 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
>>>>>>>>>>>>>> 9806, seq 3, length 64
>>>>>>>>>>>>>> 12:44:14.279704 IP 10.200.200.16 > 10.200.200.220: ICMP net
>>>>>>>>>>>>>> 10.100.100.11 unreachable, length 92
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- Fatih USTA
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Jool-list mailing list
>>>>>>>>>>>>>> Jool-list at nic.mx
>>>>>>>>>>>>>> https://mail-lists.nic.mx/listas/listinfo/jool-list
More information about the Jool-list
mailing list