[LARTC] Simple routing configuration

[LARTC] Simple routing configuration

[Paul Lewis]

Hi,

I have a simple question (well, at least I think it's simple!). I have a
router, with four Ethernet cards; eth0-eth3. eth0 and eth3 are the
'external' cards, connecting to my ISPs. eth1 and eth2 are connected to my
internal networks. What I want to do is basically filter all the traffic
from one card to another, in this configuration:
	eth1 to eth3
	eth2 to eth0

The thing is, I'm not sure if this is a routing or a firewall problem, or
maybe a bit of both? I've tried setting up the routing using ip route, using
the command below, but to no avail. When I used these commands, I did not
change any of my existing firewall configuration. Here are the ip route
commands:

echo "101 ISP_1" >> /etc/iproute2/rt_tables
echo "102 ISP_2" >> /etc/iproute2/rt_tables

ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
ip route add default via 192.168.100.253 table ISP_1
ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
ip route add default via 192.168.20.253 table ISP_2

ip rule add from 192.168.7.253 table ISP_1
ip rule add from 192.168.3.253 table ISP_2

I also tried a simple iptables forward command, in the form of:

iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT

# default policy
iptables -P FORWARD DROP

In both cases, I have set /proc/sys/net/ipv4/ip_forward to "1".

Any help would be greatly appreciated.

Many thanks,

Paul

---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
Part II Student
Materials Science
University of Oxford




_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Simple routing configuration

[Paul Lewis]

Hi,

I have a simple question (well, at least I think it's simple!). I have a
router, with four Ethernet cards; eth0-eth3. eth0 and eth3 are the
'external' cards, connecting to my ISPs. eth1 and eth2 are connected to my
internal networks. What I want to do is basically filter all the traffic
from one card to another, in this configuration:
	eth1 to eth3
	eth2 to eth0

The thing is, I'm not sure if this is a routing or a firewall problem, or
maybe a bit of both? I've tried setting up the routing using ip route, using
the command below, but to no avail. When I used these commands, I did not
change any of my existing firewall configuration. Here are the ip route
commands:

echo "101 ISP_1" >> /etc/iproute2/rt_tables
echo "102 ISP_2" >> /etc/iproute2/rt_tables

ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
ip route add default via 192.168.100.253 table ISP_1
ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
ip route add default via 192.168.20.253 table ISP_2

ip rule add from 192.168.7.253 table ISP_1
ip rule add from 192.168.3.253 table ISP_2

I also tried a simple iptables forward command, in the form of:

iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT

# default policy
iptables -P FORWARD DROP

In both cases, I have set /proc/sys/net/ipv4/ip_forward to "1".

Any help would be greatly appreciated.

Many thanks,

Paul

---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
Part II Student
Materials Science
University of Oxford

Re: Simple routing configuration

[John A. Sullivan III]

On Sat, 2005-12-24 at 18:11 +0000, Paul Lewis wrote:
> Hi,
> 
> I have a simple question (well, at least I think it's simple!). I have a
> router, with four Ethernet cards; eth0-eth3. eth0 and eth3 are the
> 'external' cards, connecting to my ISPs. eth1 and eth2 are connected to my
> internal networks. What I want to do is basically filter all the traffic
> from one card to another, in this configuration:
> 	eth1 to eth3
> 	eth2 to eth0
> 
> The thing is, I'm not sure if this is a routing or a firewall problem, or
> maybe a bit of both? I've tried setting up the routing using ip route, using
> the command below, but to no avail. When I used these commands, I did not
> change any of my existing firewall configuration. Here are the ip route
> commands:
> 
> echo "101 ISP_1" >> /etc/iproute2/rt_tables
> echo "102 ISP_2" >> /etc/iproute2/rt_tables
> 
> ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
> ip route add default via 192.168.100.253 table ISP_1
> ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
> ip route add default via 192.168.20.253 table ISP_2
> 
> ip rule add from 192.168.7.253 table ISP_1
> ip rule add from 192.168.3.253 table ISP_2
> 
> I also tried a simple iptables forward command, in the form of:
> 
> iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
> iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
> iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
> 
> # default policy
> iptables -P FORWARD DROP
> 
> In both cases, I have set /proc/sys/net/ipv4/ip_forward to "1".
> 
<snip>
After a quick look, I would guess you need to use the iif selector for
your rules (Inbound InterFace).  There is a training slide show about
this in the training section of the ISCS network security management
project web site (http://iscs.sourceforge.net) or you can look in the
ip-cref.ps file that shipped with your distribution.  On my FC4, it
is /usr/share/doc/iproute-2.6.11/ip-cref.ps.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Networking question

[Dave Beach]

 
This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy to be
redirected to another, more appropriate mailing list should someone be so
kind as to suggest one.

Internal, home, private network, WinXP boxen and a Squid proxy, connecting
through an iptables box to my router and cable modem. Everything works
peachy.

While trying to poke bittorrent holes through my iptables setup (see? Some
vague evidence of relevance), I encountered problems and decided to take the
proxy out of the picture. VERY much to my surprise, when I reconfigured IE
to not use the proxy (and configured iptables to allow for a direct
connection), I see no HTTP traffic whatsoever leaving the XP box destined
for the firewall. In fact, no TCP traffic either (all traffic analysis done
with ethereal on the XP box). I can ping to/from the XP box, and see THAT
via ethereal.

I am considerably confused by this. My presumption was that IE would just
happily send HTTP traffic directly to the firewall, but this is NOT the
behaviour I'm seeing.

I know it's Christmas Eve day, and I was out a bit late last night, but
there's clearly something VERY obvious I'm missing.

Re: Networking question

[John A. Sullivan III]

On Sat, 2005-12-24 at 13:34 -0500, Dave Beach wrote:
>  This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy to be
> redirected to another, more appropriate mailing list should someone be so
> kind as to suggest one.
> 
> Internal, home, private network, WinXP boxen and a Squid proxy, connecting
> through an iptables box to my router and cable modem. Everything works
> peachy.
> 
> While trying to poke bittorrent holes through my iptables setup (see? Some
> vague evidence of relevance), I encountered problems and decided to take the
> proxy out of the picture. VERY much to my surprise, when I reconfigured IE
> to not use the proxy (and configured iptables to allow for a direct
> connection), I see no HTTP traffic whatsoever leaving the XP box destined
> for the firewall. In fact, no TCP traffic either (all traffic analysis done
> with ethereal on the XP box). I can ping to/from the XP box, and see THAT
> via ethereal.
> 
> I am considerably confused by this. My presumption was that IE would just
> happily send HTTP traffic directly to the firewall, but this is NOT the
> behaviour I'm seeing.
> 
> I know it's Christmas Eve day, and I was out a bit late last night, but
> there's clearly something VERY obvious I'm missing.
> 
> 
If the problem is on the XP station (no packets egressing), could there
be an XP personal firewall problem? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Networking question

[/dev/rob0]

On Saturday 2005-December-24 12:53, John A. Sullivan III wrote:
> If the problem is on the XP station (no packets egressing), could
> there be an XP personal firewall problem? - John

That or routing, is a default route set?
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Networking question

[Edmundo Carmona]

Probably there's no gateway in the XP box setup... or the gateway is
plain wrong.

Merry Xorg-mas to everyone around! ;-)

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
>
> This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy to be
> redirected to another, more appropriate mailing list should someone be so
> kind as to suggest one.
>
> Internal, home, private network, WinXP boxen and a Squid proxy, connecting
> through an iptables box to my router and cable modem. Everything works
> peachy.
>
> While trying to poke bittorrent holes through my iptables setup (see? Some
> vague evidence of relevance), I encountered problems and decided to take the
> proxy out of the picture. VERY much to my surprise, when I reconfigured IE
> to not use the proxy (and configured iptables to allow for a direct
> connection), I see no HTTP traffic whatsoever leaving the XP box destined
> for the firewall. In fact, no TCP traffic either (all traffic analysis done
> with ethereal on the XP box). I can ping to/from the XP box, and see THAT
> via ethereal.
>
> I am considerably confused by this. My presumption was that IE would just
> happily send HTTP traffic directly to the firewall, but this is NOT the
> behaviour I'm seeing.
>
> I know it's Christmas Eve day, and I was out a bit late last night, but
> there's clearly something VERY obvious I'm missing.
>
>
>

RE: Networking question

[Dave Beach]

Thanks for the reply. The default gateway for the internal network is the
firewall box.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo Carmona
Sent: December 24, 2005 1:59 PM
To: netfilter@lists.netfilter.org
Subject: Re: Networking question

Probably there's no gateway in the XP box setup... or the gateway is plain
wrong.

Merry Xorg-mas to everyone around! ;-)

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
>
> This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy 
> to be redirected to another, more appropriate mailing list should 
> someone be so kind as to suggest one.
>
> Internal, home, private network, WinXP boxen and a Squid proxy, 
> connecting through an iptables box to my router and cable modem. 
> Everything works peachy.
>
> While trying to poke bittorrent holes through my iptables setup (see? 
> Some vague evidence of relevance), I encountered problems and decided 
> to take the proxy out of the picture. VERY much to my surprise, when I 
> reconfigured IE to not use the proxy (and configured iptables to allow 
> for a direct connection), I see no HTTP traffic whatsoever leaving the 
> XP box destined for the firewall. In fact, no TCP traffic either (all 
> traffic analysis done with ethereal on the XP box). I can ping to/from 
> the XP box, and see THAT via ethereal.
>
> I am considerably confused by this. My presumption was that IE would 
> just happily send HTTP traffic directly to the firewall, but this is 
> NOT the behaviour I'm seeing.
>
> I know it's Christmas Eve day, and I was out a bit late last night, 
> but there's clearly something VERY obvious I'm missing.
>
>
>

Networking Question

[Ryan P. Nicholl]

I've been unable to find any Linux API for asynchronously waiting for the TCP send buffer to drain.

The problem I have, in a nutshell, is noted in this part of the documentation:

       If fildes refers to a socket, close() shall cause the socket to
       be destroyed. If the socket is in connection-mode, and the
       SO_LINGER option is set for the socket with non-zero linger time,
       and the socket has untransmitted data, then close() shall block
       for up to the current linger interval until all data is
       transmitted.

Ok, so not good for asynchronous programming, so I could disable the SO_LINGER option, but that leaves me with another problem, namely that I *want* the socket to linger.

The behavior I want is something like, calling "close", getting EAGAIN instead of triggering TCP RST, and something like EPOLLWRITEFLUSHED to wait for the TCP send buffer to be drained. I know neither of these are possible.

Right now the only solution I can think of is to enable SO_LINGER and spawn a thread to run close in, but this might spawn a lot of threads, and doesn't support cancellation well.

Alternatively, I could call getsockopt with TCP_INFO in a loop, but this triggers a lot of wake-ups and might result in sockets hanging around a lot longer than they need to.

I want to allow linger indefinitely on close until some event happens like running out of ram or other resources, basically to intelligently do something like: "OK, we're running low on RAM/resources, time to send RST and drop the send buffer for the 5k worst behaving connections". So unfortunately even with the timeout provided by SO_LINGER, even assuming close would somehow complete in the background, this could be an issue.

Is there any way to do this properly on Linux? If not, any possibility that something like adding EPOLLWRITEFLUSHED would be a welcome addition?

Please CC me on responses.

--
Ryan P. Nicholl

Re: Networking Question

[Bernd Petrovitsch]

Hi all!

On 21/06/2022 02:29, Ryan P. Nicholl wrote:
> I've been unable to find any Linux API for asynchronously waiting for the TCP send buffer to drain.
> 
> The problem I have, in a nutshell, is noted in this part of the documentation:
> 
>         If fildes refers to a socket, close() shall cause the socket to
>         be destroyed. If the socket is in connection-mode, and the

That's not really a Linux kernel question as such (because that should 
work that way on all TCP connections anywhere) but the shutdown() 
syscall is probably what you need:
- your side shuts down the sending part of the socket.
- the other side reads data and gets eventually EOF
- the other side call shutdown() for it's sending side when it's done.
- your side gets EOF.
And then your side knows that no data is in flight.
- finally, you clean up with close(). You can shutdown() the receiving
   side too but doesn't change anything.

[ deleted SO_LINGER stuff - that's for something completelly different ... ]

Kind regards,
	Bernd
-- 
Bernd Petrovitsch                  Email : bernd@petrovitsch.priv.at
      There is NO CLOUD, just other people's computers. - FSFE
                      LUGA : http://www.luga.at

Re: Networking Question

[Ryan P. Nicholl]

Thanks for taking time to respond to this question, but unfortunately Linux's shutdown(2) cannot do what I need. This isn't a general question since POSIX has no standard async API other than AIO which isn't implemented efficiently in GNU/Linux, and I don't think the kernel supports any aio calls directly, instead exposing clone and epoll_* facilities to solve the concurrency issues. However; none of them do what I need efficiently.

In theory, shutdown(2) could be used, the problem is that it's just not efficiently scalable to 100s of thousands or millions of connections. I'm not speaking on behalf of my employeer, but I work for a financial company that processes a lot of network traffic.

What I want essentially is similar to TIME_WAIT but instead of sending an RST packet I want to be notified when the tcp connection is actually drained.

If you call shutdown, my understanding is that you get one of two behaviors:
1. You send RST and immediately discard the send buffer.
2. The call blocks for the SO_LINGER timeout.

Option 1 isn't acceptable because it gives the wrong behavior. Option 2 can be made to work but the downside is that Linux only exposes a synchronous API for it which requires me to have at least 1 thread per shutdown operation. So it could be quite bad if the network is very congested. Unfortunately threads are many times more expensive than sockets/tcp connections. So ideally having few threads and many sockets gives the best use of resources.



--
Ryan P. Nicholl


------- Original Message -------
On Tuesday, June 21st, 2022 at 3:02 AM, Bernd Petrovitsch <bernd@petrovitsch.priv.at> wrote:


> Hi all!
>
> On 21/06/2022 02:29, Ryan P. Nicholl wrote:
>
> > I've been unable to find any Linux API for asynchronously waiting for the TCP send buffer to drain.
> >
> > The problem I have, in a nutshell, is noted in this part of the documentation:
> >
> > If fildes refers to a socket, close() shall cause the socket to
> > be destroyed. If the socket is in connection-mode, and the
>
>
> That's not really a Linux kernel question as such (because that should
> work that way on all TCP connections anywhere) but the shutdown()
> syscall is probably what you need:
> - your side shuts down the sending part of the socket.
> - the other side reads data and gets eventually EOF
> - the other side call shutdown() for it's sending side when it's done.
> - your side gets EOF.
> And then your side knows that no data is in flight.
> - finally, you clean up with close(). You can shutdown() the receiving
> side too but doesn't change anything.
>
> [ deleted SO_LINGER stuff - that's for something completelly different ... ]
>
> Kind regards,
> Bernd
> --
> Bernd Petrovitsch Email : bernd@petrovitsch.priv.at
> There is NO CLOUD, just other people's computers. - FSFE
> LUGA : http://www.luga.at

networking question

[devendra.aaru]

Hey all,

I have got a strange bug(?) while testing the multicasting server and client.

I have done only the INADDR_ANY bind in server and client adds its
IP_MULTICAST_IF to 224.0.0.1 ,

surprisingly i recvd pkts from the client with out joining using
IP_ADD_MEMBERSHIP.

Is that a bug? or as we listening on INADDR_ANY will make us recv all
the mcast/bcast pkts?

while if i do tx on 224.0.0.3 , the server is not able to recv the packets.

any ideas?

networking question

[Rami Rosen]

Hi,

Can you post your client and server code?

rgs,
Rami Rosen
http://ramirose.wix.com/ramirosen


On Thu, Mar 14, 2013 at 12:55 PM, devendra.aaru <devendra.aaru@gmail.com> wrote:
> Hey all,
>
> I have got a strange bug(?) while testing the multicasting server and client.
>
> I have done only the INADDR_ANY bind in server and client adds its
> IP_MULTICAST_IF to 224.0.0.1 ,
>
> surprisingly i recvd pkts from the client with out joining using
> IP_ADD_MEMBERSHIP.
>
> Is that a bug? or as we listening on INADDR_ANY will make us recv all
> the mcast/bcast pkts?
>
> while if i do tx on 224.0.0.3 , the server is not able to recv the packets.
>
> any ideas?
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

networking question

[devendra.aaru]

This is my client:

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
main()
{
        int s;
        int opt = 1;
        struct sockaddr_in serv;
        char *ip = "192.168.20.166";
        struct sockaddr_in m;

        s = socket(AF_INET, SOCK_DGRAM, 0);

        serv.sin_family = AF_INET;
        serv.sin_addr.s_addr = inet_addr("224.0.0.1");
        serv.sin_port = htons(1111);

        memset(&m, 0, sizeof(m));
        m.sin_addr.s_addr = inet_addr(ip);
        setsockopt(s, IPPROTO_IP, IP_MULTICAST_IF, &m, sizeof(m));

        while (1) {
                sendto(s, ip, strlen(ip), 0, (struct sockaddr *)&serv,
sizeof(serv));
                sleep(1);
        }
}


I couldn't run a server this time but i captured packets on the other
host in tcpdump. I did get the 224.0.0.1 mcast packets,

is this something that the kernel always does registers by default to
the all node multicast in v4 and v6 case also?

or is my program buggy? thanks,

On Thu, Mar 14, 2013 at 2:11 PM, Rami Rosen <roszenrami@gmail.com> wrote:
> Hi,
>
> Can you post your client and server code?
>
> rgs,
> Rami Rosen
> http://ramirose.wix.com/ramirosen
>
>
> On Thu, Mar 14, 2013 at 12:55 PM, devendra.aaru <devendra.aaru@gmail.com> wrote:
>> Hey all,
>>
>> I have got a strange bug(?) while testing the multicasting server and client.
>>
>> I have done only the INADDR_ANY bind in server and client adds its
>> IP_MULTICAST_IF to 224.0.0.1 ,
>>
>> surprisingly i recvd pkts from the client with out joining using
>> IP_ADD_MEMBERSHIP.
>>
>> Is that a bug? or as we listening on INADDR_ANY will make us recv all
>> the mcast/bcast pkts?
>>
>> while if i do tx on 224.0.0.3 , the server is not able to recv the packets.
>>
>> any ideas?
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

RE: Networking question

[Dave Beach]

Yes, and if it were a DNS problem you'd (sorry, *I'd*) think I'd see
DNS-related traffic from the XP box. But... Nothing. At all. Zip. Zilch.
Nada. No web-related traffic whatsoever originating from the XP box when the
proxy settings in IE are de-selected. 

-----Original Message-----
From: Edmundo Carmona [mailto:eantoranz@gmail.com] 
Sent: December 24, 2005 2:06 PM
To: Dave Beach
Subject: Re: Networking question

and say... if you ping a host outside of your network, the ping is routed
through the GW box?

It could be a DNS problem, because IE will try to resolve a domain name
before sending a HTTP request.

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> Thanks for the reply. The default gateway for the internal network is 
> the firewall box.
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo 
> Carmona
> Sent: December 24, 2005 1:59 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Networking question
>
> Probably there's no gateway in the XP box setup... or the gateway is 
> plain wrong.
>
> Merry Xorg-mas to everyone around! ;-)
>
> On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> >
> > This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy 
> > to be redirected to another, more appropriate mailing list should 
> > someone be so kind as to suggest one.
> >
> > Internal, home, private network, WinXP boxen and a Squid proxy, 
> > connecting through an iptables box to my router and cable modem.
> > Everything works peachy.
> >
> > While trying to poke bittorrent holes through my iptables setup (see?
> > Some vague evidence of relevance), I encountered problems and 
> > decided to take the proxy out of the picture. VERY much to my 
> > surprise, when I reconfigured IE to not use the proxy (and 
> > configured iptables to allow for a direct connection), I see no HTTP 
> > traffic whatsoever leaving the XP box destined for the firewall. In 
> > fact, no TCP traffic either (all traffic analysis done with ethereal 
> > on the XP box). I can ping to/from the XP box, and see THAT via
ethereal.
> >
> > I am considerably confused by this. My presumption was that IE would 
> > just happily send HTTP traffic directly to the firewall, but this is 
> > NOT the behaviour I'm seeing.
> >
> > I know it's Christmas Eve day, and I was out a bit late last night, 
> > but there's clearly something VERY obvious I'm missing.
> >
> >
> >
>
>
>

Re: Networking question

[Edmundo Carmona]

sure.... as long as there's layer three traffic.

Pinging? Pinging hosts in your network? pinging hosts in internet?

What's the output of ipconfig /all and route print? (ugh!!! :-) )

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> Yes, and if it were a DNS problem you'd (sorry, *I'd*) think I'd see
> DNS-related traffic from the XP box. But... Nothing. At all. Zip. Zilch.
> Nada. No web-related traffic whatsoever originating from the XP box when the
> proxy settings in IE are de-selected.
>
> -----Original Message-----
> From: Edmundo Carmona [mailto:eantoranz@gmail.com]
> Sent: December 24, 2005 2:06 PM
> To: Dave Beach
> Subject: Re: Networking question
>
> and say... if you ping a host outside of your network, the ping is routed
> through the GW box?
>
> It could be a DNS problem, because IE will try to resolve a domain name
> before sending a HTTP request.
>
> On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> > Thanks for the reply. The default gateway for the internal network is
> > the firewall box.
> >
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo
> > Carmona
> > Sent: December 24, 2005 1:59 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: Networking question
> >
> > Probably there's no gateway in the XP box setup... or the gateway is
> > plain wrong.
> >
> > Merry Xorg-mas to everyone around! ;-)
> >
> > On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> > >
> > > This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy
> > > to be redirected to another, more appropriate mailing list should
> > > someone be so kind as to suggest one.
> > >
> > > Internal, home, private network, WinXP boxen and a Squid proxy,
> > > connecting through an iptables box to my router and cable modem.
> > > Everything works peachy.
> > >
> > > While trying to poke bittorrent holes through my iptables setup (see?
> > > Some vague evidence of relevance), I encountered problems and
> > > decided to take the proxy out of the picture. VERY much to my
> > > surprise, when I reconfigured IE to not use the proxy (and
> > > configured iptables to allow for a direct connection), I see no HTTP
> > > traffic whatsoever leaving the XP box destined for the firewall. In
> > > fact, no TCP traffic either (all traffic analysis done with ethereal
> > > on the XP box). I can ping to/from the XP box, and see THAT via
> ethereal.
> > >
> > > I am considerably confused by this. My presumption was that IE would
> > > just happily send HTTP traffic directly to the firewall, but this is
> > > NOT the behaviour I'm seeing.
> > >
> > > I know it's Christmas Eve day, and I was out a bit late last night,
> > > but there's clearly something VERY obvious I'm missing.
> > >
> > >
> > >
> >
> >
> >
>
>

RE: Networking question

[Dave Beach]

I don't have iptables configured to pass ICMP traffic through the firewall,
other than specifically to the inside interface of the router. I can ping
that, and all internal hosts.

========
C:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : xxxxxxxx
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
Ethernet NIC
        Physical Address. . . . . . . . . : 00-50-FC-4F-F1-B7
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.2.98
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.1
        DHCP Server . . . . . . . . . . . : 192.168.2.2
        Lease Obtained. . . . . . . . . . : December 24, 2005 2:36:55 PM
        Lease Expires . . . . . . . . . . : February 22, 2006 2:36:55 PM
========

========
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 fc 4f f1 b7 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
- Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.98       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.2.0    255.255.255.0     192.168.2.98    192.168.2.98       20
     192.168.2.98  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.2.255  255.255.255.255     192.168.2.98    192.168.2.98       20
        224.0.0.0        240.0.0.0     192.168.2.98    192.168.2.98       20
  255.255.255.255  255.255.255.255     192.168.2.98    192.168.2.98       1
Default Gateway:       192.168.2.1
===========================================================================
Persistent Routes:
  None
========

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo Carmona
Sent: December 24, 2005 2:18 PM
To: netfilter@lists.netfilter.org
Subject: Re: Networking question

sure.... as long as there's layer three traffic.

Pinging? Pinging hosts in your network? pinging hosts in internet?

What's the output of ipconfig /all and route print? (ugh!!! :-) )

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> Yes, and if it were a DNS problem you'd (sorry, *I'd*) think I'd see 
> DNS-related traffic from the XP box. But... Nothing. At all. Zip. Zilch.
> Nada. No web-related traffic whatsoever originating from the XP box 
> when the proxy settings in IE are de-selected.
>
> -----Original Message-----
> From: Edmundo Carmona [mailto:eantoranz@gmail.com]
> Sent: December 24, 2005 2:06 PM
> To: Dave Beach
> Subject: Re: Networking question
>
> and say... if you ping a host outside of your network, the ping is 
> routed through the GW box?
>
> It could be a DNS problem, because IE will try to resolve a domain 
> name before sending a HTTP request.
>
> On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> > Thanks for the reply. The default gateway for the internal network 
> > is the firewall box.
> >
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo 
> > Carmona
> > Sent: December 24, 2005 1:59 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Re: Networking question
> >
> > Probably there's no gateway in the XP box setup... or the gateway is 
> > plain wrong.
> >
> > Merry Xorg-mas to everyone around! ;-)
> >
> > On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> > >
> > > This is undoubtedly off-topic in oh-so-many ways; I'd be quite 
> > > happy to be redirected to another, more appropriate mailing list 
> > > should someone be so kind as to suggest one.
> > >
> > > Internal, home, private network, WinXP boxen and a Squid proxy, 
> > > connecting through an iptables box to my router and cable modem.
> > > Everything works peachy.
> > >
> > > While trying to poke bittorrent holes through my iptables setup (see?
> > > Some vague evidence of relevance), I encountered problems and 
> > > decided to take the proxy out of the picture. VERY much to my 
> > > surprise, when I reconfigured IE to not use the proxy (and 
> > > configured iptables to allow for a direct connection), I see no 
> > > HTTP traffic whatsoever leaving the XP box destined for the 
> > > firewall. In fact, no TCP traffic either (all traffic analysis 
> > > done with ethereal on the XP box). I can ping to/from the XP box, 
> > > and see THAT via
> ethereal.
> > >
> > > I am considerably confused by this. My presumption was that IE 
> > > would just happily send HTTP traffic directly to the firewall, but 
> > > this is NOT the behaviour I'm seeing.
> > >
> > > I know it's Christmas Eve day, and I was out a bit late last 
> > > night, but there's clearly something VERY obvious I'm missing.
> > >
> > >
> > >
> >
> >
> >
>
>

Re: Networking question

[Edmundo Carmona]

Correct me if I'm wrong.... but I see no DNS servers configured on that host.

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> I don't have iptables configured to pass ICMP traffic through the firewall,
> other than specifically to the inside interface of the router. I can ping
> that, and all internal hosts.
>
> ========
> C:\>ipconfig /all
>
> Windows IP Configuration
>
>         Host Name . . . . . . . . . . . . : xxxxxxxx
>         Primary Dns Suffix  . . . . . . . :
>         Node Type . . . . . . . . . . . . : Unknown
>         IP Routing Enabled. . . . . . . . : No
>         WINS Proxy Enabled. . . . . . . . : No
>
> Ethernet adapter Local Area Connection:
>
>         Connection-specific DNS Suffix  . :
>         Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
> Ethernet NIC
>         Physical Address. . . . . . . . . : 00-50-FC-4F-F1-B7
>         Dhcp Enabled. . . . . . . . . . . : Yes
>         Autoconfiguration Enabled . . . . : Yes
>         IP Address. . . . . . . . . . . . : 192.168.2.98
>         Subnet Mask . . . . . . . . . . . : 255.255.255.0
>         Default Gateway . . . . . . . . . : 192.168.2.1
>         DHCP Server . . . . . . . . . . . : 192.168.2.2
>         Lease Obtained. . . . . . . . . . : December 24, 2005 2:36:55 PM
>         Lease Expires . . . . . . . . . . : February 22, 2006 2:36:55 PM
> ========
>
> ========
> C:\>route print
> ===========================================================================
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x2 ...00 50 fc 4f f1 b7 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
> - Packet Scheduler Miniport
> ===========================================================================
> ===========================================================================
> Active Routes:
> Network Destination        Netmask          Gateway       Interface  Metric
>           0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.98       20
>         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
>       192.168.2.0    255.255.255.0     192.168.2.98    192.168.2.98       20
>      192.168.2.98  255.255.255.255        127.0.0.1       127.0.0.1       20
>     192.168.2.255  255.255.255.255     192.168.2.98    192.168.2.98       20
>         224.0.0.0        240.0.0.0     192.168.2.98    192.168.2.98       20
>   255.255.255.255  255.255.255.255     192.168.2.98    192.168.2.98       1
> Default Gateway:       192.168.2.1
> ===========================================================================
> Persistent Routes:
>   None
> ========
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo Carmona
> Sent: December 24, 2005 2:18 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Networking question
>
> sure.... as long as there's layer three traffic.
>
> Pinging? Pinging hosts in your network? pinging hosts in internet?
>
> What's the output of ipconfig /all and route print? (ugh!!! :-) )
>
> On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> > Yes, and if it were a DNS problem you'd (sorry, *I'd*) think I'd see
> > DNS-related traffic from the XP box. But... Nothing. At all. Zip. Zilch.
> > Nada. No web-related traffic whatsoever originating from the XP box
> > when the proxy settings in IE are de-selected.
> >
> > -----Original Message-----
> > From: Edmundo Carmona [mailto:eantoranz@gmail.com]
> > Sent: December 24, 2005 2:06 PM
> > To: Dave Beach
> > Subject: Re: Networking question
> >
> > and say... if you ping a host outside of your network, the ping is
> > routed through the GW box?
> >
> > It could be a DNS problem, because IE will try to resolve a domain
> > name before sending a HTTP request.
> >
> > On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> > > Thanks for the reply. The default gateway for the internal network
> > > is the firewall box.
> > >
> > > -----Original Message-----
> > > From: netfilter-bounces@lists.netfilter.org
> > > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo
> > > Carmona
> > > Sent: December 24, 2005 1:59 PM
> > > To: netfilter@lists.netfilter.org
> > > Subject: Re: Networking question
> > >
> > > Probably there's no gateway in the XP box setup... or the gateway is
> > > plain wrong.
> > >
> > > Merry Xorg-mas to everyone around! ;-)
> > >
> > > On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
> > > >
> > > > This is undoubtedly off-topic in oh-so-many ways; I'd be quite
> > > > happy to be redirected to another, more appropriate mailing list
> > > > should someone be so kind as to suggest one.
> > > >
> > > > Internal, home, private network, WinXP boxen and a Squid proxy,
> > > > connecting through an iptables box to my router and cable modem.
> > > > Everything works peachy.
> > > >
> > > > While trying to poke bittorrent holes through my iptables setup (see?
> > > > Some vague evidence of relevance), I encountered problems and
> > > > decided to take the proxy out of the picture. VERY much to my
> > > > surprise, when I reconfigured IE to not use the proxy (and
> > > > configured iptables to allow for a direct connection), I see no
> > > > HTTP traffic whatsoever leaving the XP box destined for the
> > > > firewall. In fact, no TCP traffic either (all traffic analysis
> > > > done with ethereal on the XP box). I can ping to/from the XP box,
> > > > and see THAT via
> > ethereal.
> > > >
> > > > I am considerably confused by this. My presumption was that IE
> > > > would just happily send HTTP traffic directly to the firewall, but
> > > > this is NOT the behaviour I'm seeing.
> > > >
> > > > I know it's Christmas Eve day, and I was out a bit late last
> > > > night, but there's clearly something VERY obvious I'm missing.
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
>
>

Networking question

[Tony Gogoi]

Hello,

Is it possible to configure a host to have 2 different IP addresses each
associated with its own unique fully qualified domain name.

To be a little more precise,
let's say I have
/etc/sysconfig/network-scripts/ifc-eth0
configured for IP address 192.168.111.4 (say)

and I also have

/etc/sysconfig/network-scripts/ifc-eth0:0
configured for IP address 192.168.111.5 (say)

However, /etc/sysconfig/network allows (or seems to allow) only a common
hostname associated with the IP addresses defined in
/etc/sysconfig/network-scripts/ifc*

But what if I want 192.168.111.4 associated with hostname "buzz" and
192.168.111.5 associated with "bumble" on a host with a single ethernet
card eth0 ???

Thanks,
Tony


Tony Gogoi

Re: Networking question

[Adam Lang]

Your question and example don't seem to match.  You are asking to have two
different ip addresses with the same host name, but your example is two ip
addresses with two different host names (buzz and bumble).

Which are you trying to do?

----- Original Message ----- 
From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
To: <linux-admin@vger.kernel.org>
Sent: Thursday, April 01, 2004 12:15 PM
Subject: Networking question


>
> Hello,
>
> Is it possible to configure a host to have 2 different IP addresses each
> associated with its own unique fully qualified domain name.
>
> To be a little more precise,
> let's say I have
> /etc/sysconfig/network-scripts/ifc-eth0
> configured for IP address 192.168.111.4 (say)
>
> and I also have
>
> /etc/sysconfig/network-scripts/ifc-eth0:0
> configured for IP address 192.168.111.5 (say)
>
> However, /etc/sysconfig/network allows (or seems to allow) only a common
> hostname associated with the IP addresses defined in
> /etc/sysconfig/network-scripts/ifc*
>
> But what if I want 192.168.111.4 associated with hostname "buzz" and
> 192.168.111.5 associated with "bumble" on a host with a single ethernet
> card eth0 ???
>
> Thanks,
> Tony

Re: Networking question

[Tony Gogoi]

Hi Adam,

Sorry for any confusion.
Its: 1 host with 2 hostnames. Each hostname has its own ipaddress.

Tony


On Thu, 1 Apr 2004, Adam Lang wrote:

> Your question and example don't seem to match.  You are asking to have two
> different ip addresses with the same host name, but your example is two ip
> addresses with two different host names (buzz and bumble).
>
> Which are you trying to do?
>
> ----- Original Message -----
> From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> To: <linux-admin@vger.kernel.org>
> Sent: Thursday, April 01, 2004 12:15 PM
> Subject: Networking question
>
>
> >
> > Hello,
> >
> > Is it possible to configure a host to have 2 different IP addresses each
> > associated with its own unique fully qualified domain name.
> >
> > To be a little more precise,
> > let's say I have
> > /etc/sysconfig/network-scripts/ifc-eth0
> > configured for IP address 192.168.111.4 (say)
> >
> > and I also have
> >
> > /etc/sysconfig/network-scripts/ifc-eth0:0
> > configured for IP address 192.168.111.5 (say)
> >
> > However, /etc/sysconfig/network allows (or seems to allow) only a common
> > hostname associated with the IP addresses defined in
> > /etc/sysconfig/network-scripts/ifc*
> >
> > But what if I want 192.168.111.4 associated with hostname "buzz" and
> > 192.168.111.5 associated with "bumble" on a host with a single ethernet
> > card eth0 ???
> >
> > Thanks,
> > Tony
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



Tony Gogoi

Re: Networking question

[Adam Lang]

Ok, the other question then is, do you just need the hostname to work
locally for the computer?

Cause if it needs to work externally as well, you can add it to DNS.

name1           A       10.10.10.28
name2            A        10.10.10.29

Also, for local, you can add two entries to the /etc/hosts file.

This will allow you to resolve the name.

----- Original Message ----- 
From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
To: "Adam Lang" <aalang@rutgersinsurance.com>
Cc: <linux-admin@vger.kernel.org>
Sent: Thursday, April 01, 2004 1:24 PM
Subject: Re: Networking question


>
> Hi Adam,
>
> Sorry for any confusion.
> Its: 1 host with 2 hostnames. Each hostname has its own ipaddress.
>
> Tony
>
>
> On Thu, 1 Apr 2004, Adam Lang wrote:
>
> > Your question and example don't seem to match.  You are asking to have
two
> > different ip addresses with the same host name, but your example is two
ip
> > addresses with two different host names (buzz and bumble).
> >
> > Which are you trying to do?
> >
> > ----- Original Message -----
> > From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> > To: <linux-admin@vger.kernel.org>
> > Sent: Thursday, April 01, 2004 12:15 PM
> > Subject: Networking question
> >
> >
> > >
> > > Hello,
> > >
> > > Is it possible to configure a host to have 2 different IP addresses
each
> > > associated with its own unique fully qualified domain name.
> > >
> > > To be a little more precise,
> > > let's say I have
> > > /etc/sysconfig/network-scripts/ifc-eth0
> > > configured for IP address 192.168.111.4 (say)
> > >
> > > and I also have
> > >
> > > /etc/sysconfig/network-scripts/ifc-eth0:0
> > > configured for IP address 192.168.111.5 (say)
> > >
> > > However, /etc/sysconfig/network allows (or seems to allow) only a
common
> > > hostname associated with the IP addresses defined in
> > > /etc/sysconfig/network-scripts/ifc*
> > >
> > > But what if I want 192.168.111.4 associated with hostname "buzz" and
> > > 192.168.111.5 associated with "bumble" on a host with a single
ethernet
> > > card eth0 ???
> > >
> > > Thanks,
> > > Tony
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
>
>
>
> Tony Gogoi

Re: Networking question

[Glynn Clements]

Tony Gogoi wrote:

> Is it possible to configure a host to have 2 different IP addresses each
> associated with its own unique fully qualified domain name.

Yes.

> To be a little more precise,
> let's say I have
> /etc/sysconfig/network-scripts/ifc-eth0
> configured for IP address 192.168.111.4 (say)
> 
> and I also have
> 
> /etc/sysconfig/network-scripts/ifc-eth0:0
> configured for IP address 192.168.111.5 (say)
> 
> However, /etc/sysconfig/network allows (or seems to allow) only a common
> hostname associated with the IP addresses defined in
> /etc/sysconfig/network-scripts/ifc*

A system can only have one *host name* (sometimes referred to as a
node name). However, the host name is distinct from any DNS (or
similar) domain names which refer to IP addresses on that host.

The host name is the value returned by gethostname(), and also in the
nodename field in the result of uname(). This doesn't necessarily have
anything to do with networking; a system still has a host name even if
it doesn't have any networking capabilities.

> But what if I want 192.168.111.4 associated with hostname "buzz" and
> 192.168.111.5 associated with "bumble" on a host with a single ethernet
> card eth0 ???

If the association only needs to apply to the local host, you can just
add the necessary entries to /etc/hosts. If it needs to be visible
externally, you need to add entries to the DNS zone file.

-- 
Glynn Clements <glynn.clements@virgin.net>

RE: Networking question

[Bloch, Jack]

I have tried both methods and they work. I would of course like to use the
most real-time efficient and "Kernel standard" methods. Looking into the
code code of netif_rx_ni seems to be logically the most correct way since it
will trigger do_softirq directly after the call to netif_rx.

Jack Bloch
Siemens Carrier Networks
e-mail    : jack.bloch@icn.siemens.com
phone     : (561) 923-6550


-----Original Message-----
From: Maksim (Max) Krasnyanskiy [mailto:maxk@qualcomm.com]
Sent: Wednesday, July 17, 2002 6:32 PM
To: kuznet@ms2.inr.ac.ru; Bloch, Jack
Cc: linux-kernel@vger.kernel.org
Subject: Re: Networking question



> > the priority of the softirq daemon or ensure that it is always awoken 
> when a
> > netif_rx is called?
>
>You should suppound it with local_bh_disable()/enable(), when using
>from process context.
Actually he should call netif_rx_ni() instead of netif_rx().
_ni stands for non-interrupt context.

Max

Re: Networking question

[kuznet]

Hello!

> code code of netif_rx_ni seems to be logically the most correct way since it
> will trigger do_softirq directly after the call to netif_rx.

Yes, of course. I simply forgot that _ni was evetually added.

Alexey

Networking question

[Bloch, Jack]

I have an application which uses a device driver which I wrote to receive
UDP/IP messages. This driver does not use interrupts but polls to see if
messages are available. Once a message is detected I call netif_rx to pass
it up the stack. The application running from user space knows that a
message was received and does a recvfrom on my socket. On a 2.2 Kernel, this
works every time. i.e. I see a message and pass it up the stack and the
recvfrom does indeed get the message from the socket. In a 2.4 environment I
see that netif_rx is using softirq to handle the message as opposed to a BH.
There seems to be a latency introduced because of this. The ksoftirqd runs
at a low priority and my application runs at a high priority (nice value of
-10), Now it seems that the message is not waiting for me when I do a
recvfrom. I do not want to yield my program for too long since the
application is real-time intensive (i.e it must process 30 000msgs/second
which it has been able to do on a 2.2 Kernel). Is there any way to increasy
the priority of the softirq daemon or ensure that it is always awoken when a
netif_rx is called? Please CC me directly on any responses.

Jack Bloch
Siemens Carrier Networks
e-mail    : jack.bloch@icn.siemens.com
phone     : (561) 923-6550

Re: Networking question

[kuznet]

Hello!

> the priority of the softirq daemon or ensure that it is always awoken when a
> netif_rx is called?

You should suppound it with local_bh_disable()/enable(), when using
from process context.

Alexey

Re: Networking question

[Maksim (Max) Krasnyanskiy]

> > the priority of the softirq daemon or ensure that it is always awoken 
> when a
> > netif_rx is called?
>
>You should suppound it with local_bh_disable()/enable(), when using
>from process context.
Actually he should call netif_rx_ni() instead of netif_rx().
_ni stands for non-interrupt context.

Max