From mboxrd@z Thu Jan 1 00:00:00 1970 From: Abraham van der Merwe Date: Mon, 02 Dec 2002 09:52:17 +0000 Subject: Re: [LARTC] ipip and nexthdr MIME-Version: 1 Content-Type: multipart/mixed; boundary="ctP54qlpMx3WjD+/" Message-Id: List-Id: References: In-Reply-To: To: lartc@vger.kernel.org --ctP54qlpMx3WjD+/ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Andrei! Look in the mail archives. Somebody posted a solution for GRE tunnels last week. > After carefull reading (LARTC) and experimentation, I am in a dead > end... >=20 > I am using several IPIP tunnels (linux ipip module, IP protocol 4). >=20 > I'd like to filter packets going through these tunnes to different > classes, on the ingress device, based on source and destination IP > _INSIDE THE TUNNEL_. >=20 > First I tried the nexthdr bit. As explained in LARTC, nexthdr jumps to > the next header in the packet, so I figured if it works for TCP, it > should also work for IP in IP, but it didn't.=20 >=20 > I looked at some ICMP echo request/reply packets with tcpdump dumping > packet contents in hex.=20 > The IP header is 20 bytes. I tried the following: >=20 > a.b.c.d is an IP inside the tunnel. >=20 > tc filter ... u32 match ip src a.b.c.d at nexthdr+0 > I assumed this would go to the inner ip header, ip src will set the > correct offset. WRONG. > tc filter ... u32 match ip src a.b.c.d at nexthdr+12 > This should point to the source address in the IP header, in the next > header =3D the tunnel. > WRONG.=20 >=20 > tc filter ... u32 match 0xaabbccdd 0xffffffff at 32=20 > CORRECT. this correctly matches the source ip inside the tunnel >=20 > I browsed a lot inside the source of tc (from iproute) but how nexthdr > works is still unclear to me. >=20 > However, I'd like to be able to make the filter selections with ip src, > ip dst sport, dport inside the tunnel, before decapsulation. --=20 Regards Abraham Military secrets are the most fleeting of all. -- Spock, "The Enterprise Incident", stardate 5027.4 ___________________________________________________ Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks P.O. Box 3472, Matieland, Stellenbosch, 7602 Cell: +27 82 565 4451 Http: http://www.frogfoot.net Email: abz@frogfoot.net --ctP54qlpMx3WjD+/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE96y1R0jJV70h31dERAkEgAKCLTxiPDBXZ3KEd6aL4NSk7py1PygCeLQzk jjDw0oYx30kO1Kwm5/j+sYc= =FG4f -----END PGP SIGNATURE----- --ctP54qlpMx3WjD+/-- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/