I know the DEBUG option. but,
"Debug messages are normally compiled out of Jool’s binaries because
they are lots and can slow things down. If you are testing or
troubleshooting however, they can be of help."
No one ever wants to print debug messages on the production
system(embedded).
But you're right, it means two versions of same thing.
I'm not sure, Perhaps the debug option may be merge with trace.
An other option.
Option "b"+"c" looks good in this case.
For "b" with matched rules(bib,eamt,blacklist) info in 2 lines or one line.
b option with trace level 2
two lines
(ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
(ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
(ID1)> Translated(c):
one line
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
CODE:0 ID:16384 Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
(ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""
Fatih USTA
On 30.03.2020 18:33, Alberto Leiva wrote:
Ok, but
Are you aware of debug logging?
https://jool.mx/en/logging.html
If trace is meant to happen more than once, then isn't it becoming a
redundant version of -DDEBUG? (I'd rather not have to maintain two
versions of the same thing...)
Here is everything -DDEBUG prints me during a successful ping translation:
Jool: ===============================================
Jool: Jool instance 'default': Received a v6 packet.
Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
Jool: Step 1: Determining the Incoming Tuple
Jool: Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
Jool: Done step 1.
Jool: Step 2: Filtering and Updating
Jool: BIB entry: 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP)
Jool: Session entry: 2001:db8::5#25567 - 64:ff9b::c000:205#25567 |
192.0.2.2#2949 - 192.0.2.5#2949 (ICMP)
Jool: Done: Step 2.
Jool: Step 3: Computing the Outgoing Tuple
Jool: Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
Jool: Done step 3.
Jool: Step 4: Translating the Packet
Jool: Done step 4.
Jool: Packet routed via device 'to_world_v4'.
Jool: Sending skb.
Jool: Success.
Admittedly, it's not printing the instance namespace, the instance
type (SIIT vs NAT64), the ICMP type nor the ICMP code. But that could
be added.
Do you reckon trace still needs to exist?
On Sun, Mar 29, 2020 at 11:51 PM Fatih USTA <[email protected]> wrote:
Hi
If we should chose one of them, I chose option c. But I will chose all
of them, if it possible.
Because; We are using trace for debug. So we may need trace every
process(possible) in the jool.
1(ID1)>Received(a)
2(ID1)>Processing(b) - matched instance and rules
3(ID1)>Translated/NonTranslated(c)
4(ID1)>Send(d)
Maybe this will be a trace level option.
Fatih USTA
On 28.03.2020 01:23, Alberto Leiva wrote:
Question:
When is the ideal point in time in which should Jool print the trace?
a) As soon as it receives a packet
b) Somewhere in the middle of a translation (when?)
c) After having translated successfully, right before sending the packet
d) After sending the packet
The trace is currently being printed during a).
I think the answer depends on whether the trace is intended to show
all packets, or only the packets that will end up translated
successfully.
On Mon, Jan 6, 2020 at 9:13 AM Alberto Leiva <[email protected]> wrote:
But TCP and UDP do not have ICMP identifiers. They have ports, which
are being printed after the hash symbol of each corresponding IP
address.
eg.
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
source address: 10.200.200.220
destination address: 10.100.100.11
TCP source port: 80
TCP destination port: 47230
On Mon, Jan 6, 2020 at 12:35 AM Fatih USTA <[email protected]> wrote:
I mean, ID only showing icmp packets. Is it possible for tcp or udp?
Jan 6 09:31:48 2020 kernel: : [1472656.480540] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
CODE:0 ID:16384
Jan 6 09:31:48 2020 kernel: : [1472656.506080] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan 6 09:31:48 2020 kernel: : [1472656.506413] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan 6 09:31:48 2020 kernel: : [1472656.506657] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan 6 09:31:48 2020 kernel: : [1472656.506759] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan 6 09:31:48 2020 kernel: : [1472656.507000] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan 6 09:31:48 2020 kernel: : [1472656.508352] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan 6 09:31:48 2020 kernel: : [1472656.508440] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan 6 09:31:48 2020 kernel: : [1472656.508720] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan 6 09:31:48 2020 kernel: : [1472656.508825] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan 6 09:31:48 2020 kernel: : [1472656.508903] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan 6 09:31:48 2020 kernel: : [1472656.509130] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Fatih USTA
On 1.01.2020 00:36, Alberto Leiva wrote:
Sorry, I don't understand you. What do you mean "tcp4/6, udp4/6"?
On Mon, Dec 30, 2019 at 12:43 AM Fatih USTA <[email protected]> wrote:
Hi
It looks good.
TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=48678 DF
PROTO=ICMP TYPE=8 CODE=0 ID=2985 SEQ=1
Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/ICMP
SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0 ID:2985
......
Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0 ID:2985
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11
DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21649 PROTO=ICMP
TYPE=0 CODE=0 ID=2985 SEQ=1
I think that's enough but What do you think about the tcp4/6, udp4/6?
Thanks.
Fatih USTA
On 30.12.2019 06:47, Alberto Leiva wrote:
Hello
Sorry I can't answer immediately.
I just uploaded a commit adding instance stateness and namespace, as
well as the ICMP ID for ICMP traces.
How does it look?
On Tue, Dec 24, 2019 at 12:52 AM Fatih USTA <[email protected]> wrote:
You're right, I can write the iptables trace rule. It's just an idea for a
better trace in jool. If I have 1Gbit traffic when I enable trace, many logs
will come. Actually not important.
Last thing, it would be nice to have ID into log for package relation like
iptables.
TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP
TYPE=8 CODE=0 ID=13069 SEQ=1
TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP
TYPE=8 CODE=0 ID=13069 SEQ=1
TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP
TYPE=8 CODE=0 ID=13069 SEQ=1
Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11
TYPE:8 CODE:0
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2
SRC=2001:0db8:000a:0000:0000:0000:0ac8:c8dc
DST=2001:0db8:000a:0000:0000:0000:0a64:640b LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0
PROTO=ICMPv6 TYPE=128 CODE=0 ID=13069 SEQ=1
TRACE: raw:PREROUTING:policy:2 IN=eth2 OUT=
MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd
SRC=2001:0db8:000a:0000:0000:0000:0a64:640b
DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64
FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1
TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd
SRC=2001:0db8:000a:0000:0000:0000:0a64:640b
DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64
FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1
Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b
DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11
DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52293 PROTO=ICMP TYPE=0
CODE=0 ID=13069 SEQ=1
Fatih USTA
On 24.12.2019 07:28, Alberto Leiva wrote:
Adding filters complicates it a lot. I have a question: What's
stopping you from adding a TRACE target right before the Jool target?
for example
iptables -t raw -A PREROUTING <filters> -j TRACE
iptables -t raw -A PREROUTING <filters> -j JOOL (Jool arguments)
That would trace all packets right before they reach Jool.
On Mon, Dec 23, 2019 at 1:01 AM Fatih USTA <[email protected]> wrote:
Hi Alberto
I tested. Works well, but we need more information in log for better trace.
Because jool siit and jool have same instance name. For example Default.
I can't see which one instance matched.
Dec 23 09:35:40 2019 kernel: : [263288.781040] Jool: INSTANCE:default
PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
Dec 23 09:35:40 2019 kernel: : [263288.781401] Jool: INSTANCE:default
PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129
CODE:0
Dec 23 09:35:41 2019 kernel: : [263289.573935] Jool: INSTANCE:default
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:41 2019 kernel: : [263289.805122] Jool: INSTANCE:default
PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
Dec 23 09:35:41 2019 kernel: : [263289.805456] Jool: INSTANCE:default
PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129
CODE:0
Dec 23 09:35:42 2019 kernel: : [263290.574131] Jool: INSTANCE:default
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:43 2019 kernel: : [263291.574381] Jool: INSTANCE:default
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:43 2019 kernel: : [263291.777504] Jool: INSTANCE:default
PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
CODE:0
Dec 23 09:35:43 2019 kernel: : [263291.885362] Jool: INSTANCE:default
PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135
CODE:0
Dec 23 09:35:44 2019 kernel: : [263292.574572] Jool: INSTANCE:default
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:45 2019 kernel: : [263293.574838] Jool: INSTANCE:default
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
# Stateful instances
+--------------------+-----------------+-----------+
| Namespace | Name | Framework |
+--------------------+-----------------+-----------+
| ffffffff80e868c0 | default | netfilter |
+--------------------+-----------------+-----------+
# Stateles instances
+--------------------+-----------------+-----------+
| Namespace | Name | Framework |
+--------------------+-----------------+-----------+
| ffffffff80e868c0 | default | netfilter |
+--------------------+-----------------+-----------+
JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP
SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
JOOL:nat64 NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP
SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
More information if is possible.
JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP
SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
action=nat46 nataddr=2001:db8::a mtu=1400 tos=3 eamt=no blacklist=no bib=no
.... other matched options
Maybe filter option can be add.
jool global update trace-filter [FILTER OPTIONS]
--src IPv4,IPv6
--dst IPv4,IPv6
--sport
--dport
--tcp
--udp
--icmp
--alg ftp|sip #future
thank you for your effort.
Fatih USTA
On 21.12.2019 02:31, Alberto Leiva wrote:
First draft:
https://nicmx.github.io/Jool/en/usr-flags-global.html#trace
the flag can be found in the latest commit in the master branch:
https://github.com/NICMx/Jool
On Fri, Dec 20, 2019 at 1:01 PM Alberto Leiva <[email protected]> wrote:
Please note that you might need to update that page in case your
browser cached it, because I just updated it.
On Fri, Dec 20, 2019 at 1:00 PM Alberto Leiva <[email protected]> wrote:
Currently, there is no tracing configuration flag. If you want, I can add it.
For now, the closest thing is enabling debugging:
https://nicmx.github.io/Jool/en/logging.html
On Fri, Dec 20, 2019 at 12:12 AM Fatih USTA <[email protected]> wrote:
I rebooted my system and it worked. But I don't understand why?
One more question. How can I trace traffic inside jool like "iptables
TRACE" for debugging.
BTW:
jool netfilter/iptables worked without reboot.
Thanks.
Fatih USTA
On 19.12.2019 19:11, Alberto Leiva wrote:
Did you try printing stats?
https://jool.mx/en/usr-flags-stats.html
If Jool is the one dropping the packets, they should tell you why.
On Thu, Dec 19, 2019 at 9:46 AM Alberto Leiva <[email protected]> wrote:
I hate to be asking this question but, did you try rebooting and doing
a clean run?
Because it works fine for me, even in my 32/64-bit hybrid...
On Thu, Dec 19, 2019 at 4:54 AM Fatih USTA <[email protected]> wrote:
Hi
I'm following this(https://www.jool.mx/en/run-vanilla.html) guide.
IPTables mode working, but netfilter mode doesn't work. What am I
missing? or is this a bug?
jool_siit -V
4.0.6.2 i386
ip{6}tables -V
v1.6.0 i386
uname -rm
3.16.76-4.custom x86_64
PC1[eth0] <=>[eth1]Tranlator[eth2]<=>[eth0]PC2
#PC1
ip addr add 10.200.200.220/23 dev eth0
ip route add 10.100.100.0/24 via 10.200.200.16
#Translator
ip addr add 10.200.200.16/23 dev eth1
ip addr add 2001:db8:a::10.100.100.2/120 dev eth2
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
ethtool --offload eth1 gro off
ethtool --offload eth2 gro off
lro already fixed off by kernel.
jool_siit instance add default --netfilter --pool6 2001:db8:a::/96
#PC2
ip add add 2001:db8:a::10.100.100.11/120 dev eth0
ip route add 2001:db8:a::10.200.200.0/119 via 2001:db8:a::10.100.100.2
#Result of netfilter (on Translator)
PC1>PC2
12:44:12.234494 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 1, length 64
12:44:12.234647 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
12:44:13.255748 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 2, length 64
12:44:13.255825 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
12:44:14.279628 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 3, length 64
12:44:14.279704 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
-- Fatih USTA
_______________________________________________
Jool-list mailing list
[email protected]
https://mail-lists.nic.mx/listas/listinfo/jool-list
_______________________________________________
Jool-list mailing list
[email protected]
https://mail-lists.nic.mx/listas/listinfo/jool-list
