Re: [Jool-list] netfilter mode question or bug

Fatih USTA via Jool-list Fri, 17 Jul 2020 00:40:14 -0700

Hi,

Fatih USTA


On 16.07.2020 18:48, Alberto Leiva wrote:

Hey, guys.

I've spent some days upgrading debug into a runtime toggle, and I'm
reviving this thread to announce that, because I see trace and debug
as essentially the same feature, I intend to merge all the trace
information into debug in Jool 4.1.2. (In other words, trace is no
longer going to exist.)

I think there is no problem here. I agree with you.


     sudo jool global update debug true

Sample IPv4 packet translation (SIIT):

     Jool SIIT/3c6ea680/default: ===============================================
     Jool SIIT/3c6ea680/default: Packet: 198.51.100.2->192.0.2.33
     Jool SIIT/3c6ea680/default: UDP 2000->4000
     Jool SIIT/3c6ea680/default: Translating the Packet.
     Jool SIIT/3c6ea680/default: Result:
2001:db8:1c6:3364:2::->2001:db8:1c0:2:21::
     Jool SIIT/3c6ea680/default: Routing:
2001:db8:1c6:3364:2::->2001:db8:1c0:2:21::
     Jool SIIT/3c6ea680/default: Packet routed via device 'to_client_v6'.
     Jool SIIT/3c6ea680/default: Sending skb.
     Jool SIIT/3c6ea680/default: Success.

Sample IPv6 packet translation (Stateful NAT64):

     Jool NAT64/3c6ea680/default: 
===============================================
     Jool NAT64/3c6ea680/default: Packet: 2001:db8::5->64:ff9b::c000:205
     Jool NAT64/3c6ea680/default: TCP 2000->4000
     Jool NAT64/3c6ea680/default: Step 1: Determining the Incoming Tuple
     Jool NAT64/3c6ea680/default: Tuple: 2001:db8::5#2000 ->
64:ff9b::c000:205#4000 (TCP)
     Jool NAT64/3c6ea680/default: Done step 1.
     Jool NAT64/3c6ea680/default: Step 2: Filtering and Updating
     Jool NAT64/3c6ea680/default: BIB entry: 2001:db8::5#2000 -
192.0.2.2#2000 (TCP)
     Jool NAT64/3c6ea680/default: Session entry: 2001:db8::5#2000 -
64:ff9b::c000:205#4000 | 192.0.2.2#2000 - 192.0.2.5#4000 (TCP)
     Jool NAT64/3c6ea680/default: Done: Step 2.
     Jool NAT64/3c6ea680/default: Step 3: Computing the Outgoing Tuple
     Jool NAT64/3c6ea680/default: Tuple: 192.0.2.2#2000 -> 192.0.2.5#4000 (TCP)
     Jool NAT64/3c6ea680/default: Done step 3.
     Jool NAT64/3c6ea680/default: Step 4: Translating the Packet
     Jool NAT64/3c6ea680/default: Routing: 192.0.2.2->192.0.2.5
     Jool NAT64/3c6ea680/default: Packet routed via device 'to_client_v4'.
     Jool NAT64/3c6ea680/default: Done step 4.
     Jool NAT64/3c6ea680/default: Sending skb.
     Jool NAT64/3c6ea680/default: Success.

If you have any issues with this, you have probably about a week to voice them.


Output looks good.

Thank you for your effort.

Alberto

On Wed, Apr 1, 2020 at 1:12 AM Fatih USTA <[email protected]> wrote:

Thank you for information and efforts.

Fatih USTA

On 31.03.2020 20:39, Alberto Leiva wrote:

By the way:

I'm about to release the next official version of Jool. Since the
current implementation of trace was found to be less than ideal
(because it prints during (a) and we're still evaluating ideas), I've
decided to leave it out of the release. Don't worry; all this means is
that the flag will not be documented in the website. For what it's
worth, the trace code is still available and usable. But it's also
bound to be changed in the next release.

On Tue, Mar 31, 2020 at 11:19 AM Alberto Leiva <[email protected]> wrote:

No one ever wants to print debug messages on the production
system(embedded).

Some alarms are going off in my head.
Are you implying that you're enabling trace in a production system?
Do you do this temporarily? Or is it permanent?

If you do it permanently, then are you sure BIB logging isn't enough?
It is all you need if you want to track the source of a request.
https://jool.mx/en/usr-flags-global.html#logging-bib

two lines

(ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
(ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""

Here's another observation: If a packet translation fails, then trace
will not tell you why. Only debug will. So trace is not the best tool
for debugging.

Here's an example of a failed translation, reported by debug:

      Jool: ===============================================
      Jool: Jool instance 'default': Received a v6 packet.
      Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
      Jool: Step 1: Determining the Incoming Tuple
      Jool: Tuple: 2001:db8::5#2000 -> 64:ff9b::c000:205#4000 (UDP)
      Jool: Done step 1.
      Jool: Step 2: Filtering and Updating
      Jool: BIB entry: 2001:db8::5#2000 - 192.0.2.2#2000 (UDP)
      Jool: Session entry: 2001:db8::5#2000 - 64:ff9b::c000:205#4000 |
192.0.2.2#2000 - 192.0.2.5#4000 (UDP)
      Jool: Done: Step 2.
      Jool: Step 3: Computing the Outgoing Tuple
      Jool: Tuple: 192.0.2.2#2000 -> 192.0.2.5#4000 (UDP)
      Jool: Done step 3.
      Jool: Step 4: Translating the Packet
      Jool: Done step 4.
      Jool: Packet routed via device 'to_world_v4'.
      Jool: Sending skb.
      Jool: Packet is too big (len: 1261, mtu: 1000).
      Jool: Sending ICMPv6 error: ICMPERR_FRAG_NEEDED, type: 2, code: 0,
rest: 1280
      Jool: Dropping packet.

I'm not sure, Perhaps the debug option may be merge with trace.

This might be the best option if tracing something in all the steps
(a, b, c and d) is optimal.

Proposal: Upgrade the most important debug messages so they'll also
appear when trace is enabled.

Eg. if this is debug logging:

      Jool: ===============================================
      Jool: Jool instance 'abcd/default/nat64': Received a v6 packet.
      Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
      Jool: Step 1: Determining the Incoming Tuple
      Jool: In Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
      Jool: Done step 1.
      Jool: Step 2: Filtering and Updating
      Jool: BIB entry: 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP)
      Jool: Session entry: 2001:db8::5#25567 - 64:ff9b::c000:205#25567 |
192.0.2.2#2949 - 192.0.2.5#2949 (ICMP)
      Jool: Done: Step 2.
      Jool: Step 3: Computing the Outgoing Tuple
      Jool: Out Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
      Jool: Done step 3.
      Jool: Step 4: Translating the Packet
      Jool: Done step 4.
      Jool: Packet routed via device 'to_world_v4'.
      Jool: Sending skb.
      Jool: Sent.

Then make it so the following is printed by trace:

      Jool: Jool instance 'abcd/default/nat64': Received a v6 packet.
      Jool: In Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
      Jool: Out Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
      Jool: Sent.

That's one message for every step. And if the user want to see the BIB
as well, they can enable bib-logging as well.

Advantages:
1. Generates less code clutter than specialized messages.
2. Prints something in every relevant step.

Disadvantages:
1. Does not print error messages.

Another possible solution: Upgrade debug messages to a global
configuration value.
That is, never remove debug messages from a binary, but only print
them if the user ran `jool global update debug true`.

Advantages:
1. Minimal code clutter.
2. Most user friendly; you don't need to recompile the whole thing if
you want to improvise some debugging.
3. You can see error messages.

Disadvantages:
1. Slightly slower than compiling messages out of the binaries (but
really not by much).
2. Debug messages may be too many for comfort.

(ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567

I should probably have asked this before, but what does "(ID1)" stand for?

On Tue, Mar 31, 2020 at 1:42 AM Fatih USTA <[email protected]> wrote:

I know the DEBUG option. but,

"Debug messages are normally compiled out of Jool’s binaries because
they are lots and can slow things down. If you are testing or
troubleshooting however, they can be of help."

No one ever wants to print debug messages on the production
system(embedded).

But you're right, it means two versions of same thing.
I'm not sure, Perhaps the debug option may be merge with trace.

An other option.
Option "b"+"c" looks good in this case.
For "b" with matched rules(bib,eamt,blacklist) info in 2 lines or one line.

b option with trace level 2

two lines

(ID1)> Filtering(b): Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
(ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""

(ID1)> Translated(c):

one line

INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
CODE:0 ID:16384 Tuple= 2001:db8::5#25567 -> 64:ff9b::c000:205#25567
(ICMP) BIB= 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP) EAMT= "" Blacklist= ""



Fatih USTA

On 30.03.2020 18:33, Alberto Leiva wrote:

Ok, but

Are you aware of debug logging?
https://jool.mx/en/logging.html

If trace is meant to happen more than once, then isn't it becoming a
redundant version of -DDEBUG? (I'd rather not have to maintain two
versions of the same thing...)

Here is everything -DDEBUG prints me during a successful ping translation:

       Jool: ===============================================
       Jool: Jool instance 'default': Received a v6 packet.
       Jool: Packet addresses: 2001:db8::5->64:ff9b::c000:205
       Jool: Step 1: Determining the Incoming Tuple
       Jool: Tuple: 2001:db8::5#25567 -> 64:ff9b::c000:205#25567 (ICMP)
       Jool: Done step 1.
       Jool: Step 2: Filtering and Updating
       Jool: BIB entry: 2001:db8::5#25567 - 192.0.2.2#2949 (ICMP)
       Jool: Session entry: 2001:db8::5#25567 - 64:ff9b::c000:205#25567 |
192.0.2.2#2949 - 192.0.2.5#2949 (ICMP)
       Jool: Done: Step 2.
       Jool: Step 3: Computing the Outgoing Tuple
       Jool: Tuple: 192.0.2.2#2949 -> 192.0.2.5#2949 (ICMP)
       Jool: Done step 3.
       Jool: Step 4: Translating the Packet
       Jool: Done step 4.
       Jool: Packet routed via device 'to_world_v4'.
       Jool: Sending skb.
       Jool: Success.

Admittedly, it's not printing the instance namespace, the instance
type (SIIT vs NAT64), the ICMP type nor the ICMP code. But that could
be added.

Do you reckon trace still needs to exist?

On Sun, Mar 29, 2020 at 11:51 PM Fatih USTA <[email protected]> wrote:

Hi

If we should chose one of them, I chose option c. But I will chose all
of them, if it possible.
Because; We are using trace for debug. So we may need trace every
process(possible) in the jool.

1(ID1)>Received(a)
2(ID1)>Processing(b) - matched instance and rules
3(ID1)>Translated/NonTranslated(c)
4(ID1)>Send(d)

Maybe this will be a trace level option.


Fatih USTA

On 28.03.2020 01:23, Alberto Leiva wrote:

Question:

When is the ideal point in time in which should Jool print the trace?

a) As soon as it receives a packet
b) Somewhere in the middle of a translation (when?)
c) After having translated successfully, right before sending the packet
d) After sending the packet

The trace is currently being printed during a).
I think the answer depends on whether the trace is intended to show
all packets, or only the packets that will end up translated
successfully.

On Mon, Jan 6, 2020 at 9:13 AM Alberto Leiva <[email protected]> wrote:

But TCP and UDP do not have ICMP identifiers. They have ports, which
are being printed after the hash symbol of each corresponding IP
address.

eg.
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230

source address: 10.200.200.220
destination address: 10.100.100.11
TCP source port: 80
TCP destination port: 47230

On Mon, Jan 6, 2020 at 12:35 AM Fatih USTA <[email protected]> wrote:

I mean, ID only showing icmp packets. Is it possible for tcp or udp?

Jan  6 09:31:48 2020 kernel: : [1472656.480540] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
SRC:fe80::fc26:33ff:fe79:5b74 DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136
CODE:0 ID:16384
Jan  6 09:31:48 2020 kernel: : [1472656.506080] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan  6 09:31:48 2020 kernel: : [1472656.506413] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan  6 09:31:48 2020 kernel: : [1472656.506657] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan  6 09:31:48 2020 kernel: : [1472656.506759] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan  6 09:31:48 2020 kernel: : [1472656.507000] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan  6 09:31:48 2020 kernel: : [1472656.508352] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan  6 09:31:48 2020 kernel: : [1472656.508440] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230
Jan  6 09:31:48 2020 kernel: : [1472656.508720] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan  6 09:31:48 2020 kernel: : [1472656.508825] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan  6 09:31:48 2020 kernel: : [1472656.508903] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/TCP
SRC:2001:db8:a::a64:640b#47230 DST:2001:db8:a::ac8:c8dc#80
Jan  6 09:31:48 2020 kernel: : [1472656.509130] Jool:
INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/TCP
SRC:10.200.200.220#80 DST:10.100.100.11#47230


Fatih USTA

On 1.01.2020 00:36, Alberto Leiva wrote:

Sorry, I don't understand you. What do you mean "tcp4/6, udp4/6"?

On Mon, Dec 30, 2019 at 12:43 AM Fatih USTA <[email protected]> wrote:

Hi

It looks good.
TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT=
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=48678 DF
PROTO=ICMP TYPE=8 CODE=0 ID=2985 SEQ=1
Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv4/ICMP
SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0 ID:2985
......
Jool: INSTANCE:SIIT/ffffffff80e868c0/default PROTO:IPv6/ICMP
SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0 ID:2985
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11
DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21649 PROTO=ICMP
TYPE=0 CODE=0 ID=2985 SEQ=1

I think that's enough but What do you think about the tcp4/6, udp4/6?

Thanks.

Fatih USTA

On 30.12.2019 06:47, Alberto Leiva wrote:

Hello

Sorry I can't answer immediately.
I just uploaded a commit adding instance stateness and namespace, as
well as the ICMP ID for ICMP traces.

How does it look?

On Tue, Dec 24, 2019 at 12:52 AM Fatih USTA <[email protected]> wrote:

You're right, I can write the iptables trace rule. It's just an idea for a 
better trace in jool. If I have 1Gbit traffic when I enable trace, many logs 
will come. Actually not important.

Last thing, it would be nice to have ID into log for package relation like 
iptables.

TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= 
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=13069 SEQ=1
TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT= 
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=13069 SEQ=1
TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= 
MAC=4e:1e:08:4a:fd:68:9a:0d:a9:dd:aa:b5:08:00 SRC=10.200.200.220 
DST=10.100.100.11 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=23871 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=13069 SEQ=1

Jool: INSTANCE:default PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 
TYPE:8 CODE:0

TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 
SRC=2001:0db8:000a:0000:0000:0000:0ac8:c8dc 
DST=2001:0db8:000a:0000:0000:0000:0a64:640b LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 
PROTO=ICMPv6 TYPE=128 CODE=0 ID=13069 SEQ=1
TRACE: raw:PREROUTING:policy:2 IN=eth2 OUT= 
MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd 
SRC=2001:0db8:000a:0000:0000:0000:0a64:640b 
DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 
FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1
TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT= 
MAC=4a:d8:2a:8b:4a:27:fe:26:33:79:5b:74:86:dd 
SRC=2001:0db8:000a:0000:0000:0000:0a64:640b 
DST=2001:0db8:000a:0000:0000:0000:0ac8:c8dc LEN=104 TC=0 HOPLIMIT=64 
FLOWLBL=983710 PROTO=ICMPv6 TYPE=129 CODE=0 ID=13069 SEQ=1

Jool: INSTANCE:default PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b 
DST:2001:db8:a::ac8:c8dc TYPE:129 CODE:0

TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth1 SRC=10.100.100.11 
DST=10.200.200.220 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52293 PROTO=ICMP TYPE=0 
CODE=0 ID=13069 SEQ=1


Fatih USTA

On 24.12.2019 07:28, Alberto Leiva wrote:

Adding filters complicates it a lot. I have a question: What's
stopping you from adding a TRACE target right before the Jool target?

for example

iptables -t raw -A PREROUTING <filters> -j TRACE
iptables -t raw -A PREROUTING <filters> -j JOOL (Jool arguments)

That would trace all packets right before they reach Jool.


On Mon, Dec 23, 2019 at 1:01 AM Fatih USTA <[email protected]> wrote:

Hi Alberto

I tested. Works well, but we need more information in log for better trace.
Because jool siit and jool have same instance name. For example Default.
I can't see which one instance matched.

Dec 23 09:35:40 2019 kernel: : [263288.781040] Jool: INSTANCE:default 
PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
Dec 23 09:35:40 2019 kernel: : [263288.781401] Jool: INSTANCE:default 
PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 
CODE:0
Dec 23 09:35:41 2019 kernel: : [263289.573935] Jool: INSTANCE:default 
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:41 2019 kernel: : [263289.805122] Jool: INSTANCE:default 
PROTO:IPv4/ICMP SRC:10.200.200.220 DST:10.100.100.11 TYPE:8 CODE:0
Dec 23 09:35:41 2019 kernel: : [263289.805456] Jool: INSTANCE:default 
PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:2001:db8:a::ac8:c8dc TYPE:129 
CODE:0
Dec 23 09:35:42 2019 kernel: : [263290.574131] Jool: INSTANCE:default 
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:43 2019 kernel: : [263291.574381] Jool: INSTANCE:default 
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:43 2019 kernel: : [263291.777504] Jool: INSTANCE:default 
PROTO:IPv6/ICMP SRC:2001:db8:a::a64:640b DST:fe80::48d8:2aff:fe8b:4a27 TYPE:136 
CODE:0
Dec 23 09:35:43 2019 kernel: : [263291.885362] Jool: INSTANCE:default 
PROTO:IPv6/ICMP SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 
CODE:0
Dec 23 09:35:44 2019 kernel: : [263292.574572] Jool: INSTANCE:default 
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22
Dec 23 09:35:45 2019 kernel: : [263293.574838] Jool: INSTANCE:default 
PROTO:IPv4/TCP SRC:10.200.200.1#43196 DST:10.200.200.16#22

# Stateful instances
+--------------------+-----------------+-----------+
|          Namespace |            Name | Framework |
+--------------------+-----------------+-----------+
|   ffffffff80e868c0 |         default | netfilter |
+--------------------+-----------------+-----------+

# Stateles instances
+--------------------+-----------------+-----------+
|          Namespace |            Name | Framework |
+--------------------+-----------------+-----------+
|   ffffffff80e868c0 |         default | netfilter |
+--------------------+-----------------+-----------+

JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP 
SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0
JOOL:nat64 NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP 
SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0

More information if is possible.

JOOL:siit NAMESPACE:748484488 INSTANCE:default PROTO:IPv6/ICMP 
SRC:fe80::fc26:33ff:fe79:5b74 DST:2001:db8:a::a64:6402 TYPE:135 CODE:0 
action=nat46 nataddr=2001:db8::a mtu=1400 tos=3 eamt=no blacklist=no bib=no  
.... other matched options

Maybe filter option can be add.

jool global update trace-filter [FILTER OPTIONS]
--src IPv4,IPv6
--dst IPv4,IPv6
--sport
--dport
--tcp
--udp
--icmp
--alg ftp|sip #future

thank you for your effort.

Fatih USTA

On 21.12.2019 02:31, Alberto Leiva wrote:

First draft:
https://nicmx.github.io/Jool/en/usr-flags-global.html#trace

the flag can be found in the latest commit in the master branch:
https://github.com/NICMx/Jool

On Fri, Dec 20, 2019 at 1:01 PM Alberto Leiva <[email protected]> wrote:

Please note that you might need to update that page in case your
browser cached it, because I just updated it.

On Fri, Dec 20, 2019 at 1:00 PM Alberto Leiva <[email protected]> wrote:

Currently, there is no tracing configuration flag. If you want, I can add it.

For now, the closest thing is enabling debugging:
https://nicmx.github.io/Jool/en/logging.html

On Fri, Dec 20, 2019 at 12:12 AM Fatih USTA <[email protected]> wrote:

I rebooted my system and it worked. But I don't understand why?
One more question. How can I trace traffic inside jool like "iptables
TRACE" for debugging.

BTW:
jool netfilter/iptables worked without reboot.


Thanks.

Fatih USTA

On 19.12.2019 19:11, Alberto Leiva wrote:

Did you try printing stats?
https://jool.mx/en/usr-flags-stats.html

If Jool is the one dropping the packets, they should tell you why.

On Thu, Dec 19, 2019 at 9:46 AM Alberto Leiva <[email protected]> wrote:

I hate to be asking this question but, did you try rebooting and doing
a clean run?

Because it works fine for me, even in my 32/64-bit hybrid...

On Thu, Dec 19, 2019 at 4:54 AM Fatih USTA <[email protected]> wrote:

Hi

I'm following this(https://www.jool.mx/en/run-vanilla.html) guide.
IPTables mode working, but netfilter mode doesn't work. What am I
missing? or is this a bug?


jool_siit -V
4.0.6.2 i386

ip{6}tables -V
v1.6.0 i386

uname -rm
3.16.76-4.custom x86_64


PC1[eth0] <=>[eth1]Tranlator[eth2]<=>[eth0]PC2


#PC1
ip addr add 10.200.200.220/23 dev eth0
ip route add 10.100.100.0/24 via 10.200.200.16

#Translator
ip addr add 10.200.200.16/23 dev eth1
ip addr add 2001:db8:a::10.100.100.2/120 dev eth2

sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1


ethtool --offload eth1 gro off
ethtool --offload eth2 gro off

lro already fixed off by kernel.


jool_siit instance add default --netfilter --pool6 2001:db8:a::/96


#PC2
ip add add 2001:db8:a::10.100.100.11/120 dev eth0
ip route add 2001:db8:a::10.200.200.0/119 via 2001:db8:a::10.100.100.2



#Result of netfilter (on Translator)

PC1>PC2
12:44:12.234494 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 1, length 64
12:44:12.234647 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
12:44:13.255748 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 2, length 64
12:44:13.255825 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92
12:44:14.279628 IP 10.200.200.220 > 10.100.100.11: ICMP echo request, id
9806, seq 3, length 64
12:44:14.279704 IP 10.200.200.16 > 10.200.200.220: ICMP net
10.100.100.11 unreachable, length 92



-- Fatih USTA
_______________________________________________
Jool-list mailing list
[email protected]
https://mail-lists.nic.mx/listas/listinfo/jool-list

_______________________________________________
Jool-list mailing list
[email protected]
https://mail-lists.nic.mx/listas/listinfo/jool-list

Re: [Jool-list] netfilter mode question or bug

Reply via email to