Sorry, I don't understand you. What do you mean "tcp4/6, udp4/6"?
On Mon, Dec 30, 2019 at 12:43 AM Fatih USTA <[email protected]> wrote: > > Hi > > It looks good. > TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= > MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 > DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=48678 DF > PROTO=ICMP TYPE=8 CODE=0 ID=2985 SEQ=1 > Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/ICMP > SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0 ID:2985 > ...... > Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP > SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0 ID:2985 > TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11 > DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21649 PROTO=ICMP > TYPE=0 CODE=0 ID=2985 SEQ=1 > > I think that's enough but What do you think about the tcp4/6, udp4/6? > > Thanks. > > Fatih USTA > > On 30.12.2019 06:47, Alberto Leiva wrote: > > Hello > > > > Sorry I can't answer immediately. > > I just uploaded a commit adding instance stateness and namespace, as > > well as the ICMP ID for ICMP traces. > > > > How does it look? > > > > On Tue, Dec 24, 2019 at 12:52 AM Fatih USTA <[email protected]> wrote: > >> You're right, I can write the iptables trace rule. It's just an idea for a > >> better trace in jool. If I have 1Gbit traffic when I enable trace, many > >> logs will come. Actually not important. > >> > >> Last thing, it would be nice to have ID into log for package relation like > >> iptables. > >> > >> TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= > >> MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 > >> DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP > >> TYPE=8 CODE=0 ID=13069 SEQ=1 > >> TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT= > >> MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 > >> DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP > >> TYPE=8 CODE=0 ID=13069 SEQ=1 > >> TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= > >> MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 > >> DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP > >> TYPE=8 CODE=0 ID=13069 SEQ=1 > >> > >> Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 > >> DST:10.100.100.11 TYPE:8 CODE:0 > >> > >> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 > >> SRC=2001:0db8:000a:0000:0000:0000:0ac8:c8dc > >> DST=2001:0db8:000a:0000:0000:0000:0a64:640b LEN=104 TC=0 HOPLIMIT=63 > >> FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=13069 SEQ=1 > >> TRACE: raw:PREROUTING:policy:2 IN=eth2 OUT= > >> MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd > >> SRC=2001:0db8:000a:0000:0000:0000:0a64:640b > >> DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 > >> FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1 > >> TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT= > >> MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd > >> SRC=2001:0db8:000a:0000:0000:0000:0a64:640b > >> DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 > >> FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1 > >> > >> Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b > >> DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0 > >> > >> TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11 > >> DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52293 PROTO=ICMP > >> TYPE=0 CODE=0 ID=13069 SEQ=1 > >> > >> > >> Fatih USTA > >> > >> On 24.12.2019 07:28, Alberto Leiva wrote: > >> > >> Adding filters complicates it a lot. I have a question: What's > >> stopping you from adding a TRACE target right before the Jool target? > >> > >> for example > >> > >> iptables -t raw -A PREROUTING <filters> -j TRACE > >> iptables -t raw -A PREROUTING <filters> -j JOOL (Jool arguments) > >> > >> That would trace all packets right before they reach Jool. > >> > >> > >> On Mon, Dec 23, 2019 at 1:01 AM Fatih USTA <[email protected]> wrote: > >> > >> Hi Alberto > >> > >> I tested. Works well, but we need more information in log for better trace. > >> Because jool siit and jool have same instance name. For example Default. > >> I can't see which one instance matched. > >> > >> Dec 23 09:35:40 2019 kernel: : [263288.781040] Jool: INSTANCE:default > >> PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0 > >> Dec 23 09:35:40 2019 kernel: : [263288.781401] Jool: INSTANCE:default > >> PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 > >> CODE:0 > >> Dec 23 09:35:41 2019 kernel: : [263289.573935] Jool: INSTANCE:default > >> PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22 > >> Dec 23 09:35:41 2019 kernel: : [263289.805122] Jool: INSTANCE:default > >> PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0 > >> Dec 23 09:35:41 2019 kernel: : [263289.805456] Jool: INSTANCE:default > >> PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 > >> CODE:0 > >> Dec 23 09:35:42 2019 kernel: : [263290.574131] Jool: INSTANCE:default > >> PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22 > >> Dec 23 09:35:43 2019 kernel: : [263291.574381] Jool: INSTANCE:default > >> PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22 > >> Dec 23 09:35:43 2019 kernel: : [263291.777504] Jool: INSTANCE:default > >> PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:fe80::48d8:2aff:fe8b:4a27 > >> TYPE:136 CODE:0 > >> Dec 23 09:35:43 2019 kernel: : [263291.885362] Jool: INSTANCE:default > >> PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 > >> TYPE:135 CODE:0 > >> Dec 23 09:35:44 2019 kernel: : [263292.574572] Jool: INSTANCE:default > >> PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22 > >> Dec 23 09:35:45 2019 kernel: : [263293.574838] Jool: INSTANCE:default > >> PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22 > >> > >> # Stateful instances > >> +--------------------+-----------------+-----------+ > >> | Namespace | Name | Framework | > >> +--------------------+-----------------+-----------+ > >> | ffffffff80e868c0 | default | netfilter | > >> +--------------------+-----------------+-----------+ > >> > >> # Stateles instances > >> +--------------------+-----------------+-----------+ > >> | Namespace | Name | Framework | > >> +--------------------+-----------------+-----------+ > >> | ffffffff80e868c0 | default | netfilter | > >> +--------------------+-----------------+-----------+ > >> > >> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP > >> SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 > >> JOOL:nat64 NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP > >> SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 > >> > >> More information if is possible. > >> > >> JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP > >> SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 > >> action=nat46 nataddr=2001:db8::a mtu=1400 tos=3 eamt=no blacklist=no > >> bib=no .... other matched options > >> > >> Maybe filter option can be add. > >> > >> jool global update trace-filter [FILTER OPTIONS] > >> --src IPv4,IPv6 > >> --dst IPv4,IPv6 > >> --sport > >> --dport > >> --tcp > >> --udp > >> --icmp > >> --alg ftp|sip #future > >> > >> thank you for your effort. > >> > >> Fatih USTA > >> > >> On 21.12.2019 02:31, Alberto Leiva wrote: > >> > >> First draft: > >> https://nicmx.github.io/Jool/en/usr-flags-global.html#trace > >> > >> the flag can be found in the latest commit in the master branch: > >> https://github.com/NICMx/Jool > >> > >> On Fri, Dec 20, 2019 at 1:01 PM Alberto Leiva <[email protected]> wrote: > >> > >> Please note that you might need to update that page in case your > >> browser cached it, because I just updated it. > >> > >> On Fri, Dec 20, 2019 at 1:00 PM Alberto Leiva <[email protected]> wrote: > >> > >> Currently, there is no tracing configuration flag. If you want, I can add > >> it. > >> > >> For now, the closest thing is enabling debugging: > >> https://nicmx.github.io/Jool/en/logging.html > >> > >> On Fri, Dec 20, 2019 at 12:12 AM Fatih USTA <[email protected]> wrote: > >> > >> I rebooted my system and it worked. But I don't understand why? > >> One more question. How can I trace traffic inside jool like "iptables > >> TRACE" for debugging. > >> > >> BTW: > >> jool netfilter/iptables worked without reboot. > >> > >> > >> Thanks. > >> > >> Fatih USTA > >> > >> On 19.12.2019 19:11, Alberto Leiva wrote: > >> > >> Did you try printing stats? > >> https://jool.mx/en/usr-flags-stats.html > >> > >> If Jool is the one dropping the packets, they should tell you why. > >> > >> On Thu, Dec 19, 2019 at 9:46 AM Alberto Leiva <[email protected]> wrote: > >> > >> I hate to be asking this question but, did you try rebooting and doing > >> a clean run? > >> > >> Because it works fine for me, even in my 32/64-bit hybrid... > >> > >> On Thu, Dec 19, 2019 at 4:54 AM Fatih USTA <[email protected]> wrote: > >> > >> Hi > >> > >> I'm following this(https://www.jool.mx/en/run-vanilla.html) guide. > >> IPTables mode working, but netfilter mode doesn't work. What am I > >> missing? or is this a bug? > >> > >> > >> jool_siit -V > >> 4.0.6.2 i386 > >> > >> ip{6}tables -V > >> v1.6.0 i386 > >> > >> uname -rm > >> 3.16.76-4.custom x86_64 > >> > >> > >> PC1[eth0] <=>[eth1]Tranlator[eth2]<=>[eth0]PC2 > >> > >> > >> #PC1 > >> ip addr add 10.200.200.220/23 dev eth0 > >> ip route add 10.100.100.0/24 via 10.200.200.16 > >> > >> #Translator > >> ip addr add 10.200.200.16/23 dev eth1 > >> ip addr add 2001:db8:a::10.100.100.2/120 dev eth2 > >> > >> sysctl -w net.ipv4.conf.all.forwarding=1 > >> sysctl -w net.ipv6.conf.all.forwarding=1 > >> > >> > >> ethtool --offload eth1 gro off > >> ethtool --offload eth2 gro off > >> > >> lro already fixed off by kernel. > >> > >> > >> jool_siit instance add default --netfilter --pool6 2001:db8:a::/96 > >> > >> > >> #PC2 > >> ip add add 2001:db8:a::10.100.100.11/120 dev eth0 > >> ip route add 2001:db8:a::10.200.200.0/119 via 2001:db8:a::10.100.100.2 > >> > >> > >> > >> #Result of netfilter (on Translator) > >> > >> PC1>PC2 > >> 12:44:12.234494 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id > >> 9806, seq 1, length 64 > >> 12:44:12.234647 IP 10.200.200.16 > 10.200.200.220: ICMP net > >> 10.100.100.11 unreachable, length 92 > >> 12:44:13.255748 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id > >> 9806, seq 2, length 64 > >> 12:44:13.255825 IP 10.200.200.16 > 10.200.200.220: ICMP net > >> 10.100.100.11 unreachable, length 92 > >> 12:44:14.279628 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id > >> 9806, seq 3, length 64 > >> 12:44:14.279704 IP 10.200.200.16 > 10.200.200.220: ICMP net > >> 10.100.100.11 unreachable, length 92 > >> > >> > >> > >> -- Fatih USTA > >> _______________________________________________ > >> Jool-list mailing list > >> [email protected] > >> https://mail-lists.nic.mx/listas/listinfo/jool-list _______________________________________________ Jool-list mailing list [email protected] https://mail-lists.nic.mx/listas/listinfo/jool-list
