Re: [LARTC] ipip and nexthdr - Abraham van der Merwe

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Abraham van der Merwe <abz@frogfoot.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] ipip and nexthdr
Date: Mon, 02 Dec 2002 09:52:17 +0000	[thread overview]
Message-ID: <marc-lartc-103882286612208@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103882255011918@msgid-missing>

[-- Attachment #1: Type: text/plain, Size: 1894 bytes --]

Hi Andrei!

Look in the mail archives. Somebody posted a solution for GRE tunnels last
week.

>  After carefull reading (LARTC) and experimentation, I am in a dead
> end...
> 
>  I am using several IPIP tunnels (linux ipip module, IP protocol 4).
> 
>  I'd like to filter packets going through these tunnes to different
> classes, on the ingress device, based on source and destination IP
> _INSIDE THE TUNNEL_.
> 
>  First I tried the nexthdr bit. As explained in LARTC, nexthdr jumps to
> the next header in the packet, so I figured if it works for TCP, it
> should also work for IP in IP, but it didn't. 
> 
>  I looked at some ICMP echo request/reply packets with tcpdump dumping
> packet contents in hex. 
> The IP header is 20 bytes. I tried the following:
> 
> a.b.c.d is an IP inside the tunnel.
> 
> tc filter ... u32 match ip src a.b.c.d at nexthdr+0
> I assumed this would go to the inner ip header, ip src will set the
> correct offset. WRONG.
> tc filter ... u32 match ip src a.b.c.d at nexthdr+12
> This should point to the source address in the IP header, in the next
> header = the tunnel.
> WRONG. 
> 
> tc filter ... u32 match 0xaabbccdd 0xffffffff at 32 
> CORRECT. this correctly matches the source ip inside the tunnel
> 
> I browsed a lot inside the source of tc (from iproute) but how nexthdr
> works is still unclear to me.
> 
> However, I'd like to be able to make the filter selections with ip src,
> ip dst sport, dport inside the tunnel, before decapsulation.

-- 

Regards
 Abraham

Military secrets are the most fleeting of all.
		-- Spock, "The Enterprise Incident", stardate 5027.4

___________________________________________________
 Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
 P.O. Box 3472, Matieland, Stellenbosch, 7602
 Cell: +27 82 565 4451 Http: http://www.frogfoot.net
 Email: abz@frogfoot.net


[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

     prev parent reply	other threads:[~2002-12-02  9:52 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-02  9:47 [LARTC] ipip and nexthdr Andrei Boros
2002-12-02  9:52 ` Abraham van der Merwe [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-lartc-103882286612208@msgid-missing \
    --to=abz@frogfoot.net \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.