tunneling and iptables

tunneling and iptables

[Hitesh Ballani]

Hello,

i was stuck with the interaction of iptables and tunneling ...if i have an 
ip-ip tunnel, are the ip hooks checked for both the outer and the inner ip 
header ?

Also,  the mark extension allows you to mark packets with 16-bits marks 
which is big enough to encode the port number, but if i try to add policy 
routing on the fly using the ip rules command then i get screwed because 
the table-id (for specifying which table has the rules to route this 
packet) is only 8-bits and so, I cannot encode the port numbers in there 
... i know this is not a clear description but if you know anything about 
this problem, i would be more than happy to spell the details out...

Thanks,

Hitesh

Re: tunneling and iptables

[Cedric Blancher]

Le mer 10/03/2004 à 03:52, Hitesh Ballani a écrit :
> i was stuck with the interaction of iptables and tunneling ...if i have an 
> ip-ip tunnel, are the ip hooks checked for both the outer and the inner ip 
> header ?

Most of the time, both of them.
Usually, on Linux, tunnel usage means logical interface creation (tun0,
tap0, sit0, ppp0, etc.). Suppose you create a tunnel called tun0 over
eth0.

You will see tunneling packets on eth0, INPUT chain.
You will see tunneled packets on tun0, INPUT or FORWARD chain depending
on the way they're routed.

> Also,  the mark extension allows you to mark packets with 16-bits marks 
> which is big enough to encode the port number, but if i try to add policy 
> routing on the fly using the ip rules command then i get screwed because 
> the table-id (for specifying which table has the rules to route this 
> packet) is only 8-bits and so, I cannot encode the port numbers in there 
> ... i know this is not a clear description but if you know anything about 
> this problem, i would be more than happy to spell the details out...

Do you really need the full 16 bits space ? I mean that you'll need it
if you have 16^2 different routes (one mark per route) which should not
the case.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: tunneling and iptables

[Hitesh Ballani]

>
> > Also,  the mark extension allows you to mark packets with 16-bits marks
> > which is big enough to encode the port number, but if i try to add policy
> > routing on the fly using the ip rules command then i get screwed because
> > the table-id (for specifying which table has the rules to route this
> > packet) is only 8-bits and so, I cannot encode the port numbers in there
> > ... i know this is not a clear description but if you know anything about
> > this problem, i would be more than happy to spell the details out...
>
>-Do you really need the full 16 bits space ? I mean that you'll need it
>-if you have 16^2 different routes (one mark per route) which should not
>-the case.

thanks for your comments on tunnels ... actually i am working on a model 
for anycast deployment and need to have the 16 bits so that i can support 
256*(2^16) services using a single /24 block .. by the way, how heavy are 
tunnels - i.e how many can the kernel support .... but i have almost given 
up on using the standard iptables interface - i am thinking of writing a 
module that uses a netfilter hook.... while i think i have the details 
figured out, any word of advice will be highly appreciated !

Thanks again,

Hitesh 

Re: tunneling and iptables

[Cedric Blancher]

Le mer 10/03/2004 à 09:15, Hitesh Ballani a écrit :
> thanks for your comments on tunnels ... actually i am working on a model 
> for anycast deployment and need to have the 16 bits so that i can support 
> 256*(2^16) services using a single /24 block ..

OK.

If I understand your context (what may not be true), your problem is
that you have to route packets against destination port and that MARK
capabilities are too limited for you to have Netfilter communicate
within policy routing.

So, have you considered using ROUTE target (from patch-o-matic), that
allows one to specify a specific route for a given packet within
Netfilter. With it, you could implement rule just like this :

	iptables -t mangle -A POSTROUTING -p tcp --dport $myservice \
		-j ROUTE --gw $myservicegw


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: tunneling and iptables

[Hitesh Ballani]

At 10:02 AM 3/10/2004 +0100, Cedric Blancher wrote:
>Le mer 10/03/2004 à 09:15, Hitesh Ballani a écrit :
> > thanks for your comments on tunnels ... actually i am working on a model
> > for anycast deployment and need to have the 16 bits so that i can support
> > 256*(2^16) services using a single /24 block ..
>
>OK.
>
>If I understand your context (what may not be true), your problem is
>that you have to route packets against destination port and that MARK
>capabilities are too limited for you to have Netfilter communicate
>within policy routing.
>
>So, have you considered using ROUTE target (from patch-o-matic), that
>allows one to specify a specific route for a given packet within
>Netfilter. With it, you could implement rule just like this :
>
>         iptables -t mangle -A POSTROUTING -p tcp --dport $myservice \
>                 -j ROUTE --gw $myservicegw
>
>
>--
>http://www.netexit.com/~sid/
>PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!



Sorry to bug you  ... that ROUTE extension is perfect for me  ... but with 
my design I will have around 2000~  tunnels created (i know this sounds 
crazy).. will the kernel be able to handle this or is this too much of an 
overhead .... leaving aside the start up overhead, during the actual 
forwarding is there any overhead besides the extra ip header being attached....

Thanks for your time,

Hitesh

Re: tunneling and iptables

[Cedric Blancher]

Le mer 10/03/2004 à 10:38, Hitesh Ballani a écrit :
> Sorry to bug you  ... that ROUTE extension is perfect for me  ...

Fine :)

> but with my design I will have around 2000~  tunnels created (i know
> this sounds crazy).. will the kernel be able to handle this or is this
> too much of an overhead .... leaving aside the start up overhead,
> during the actual forwarding is there any overhead besides the extra
> ip header being attached....

I must admit I don't know if kernel will be able to handle 2000 logical
interfaces, as I'm not a kernel guru. Maybe you should ask kernel
mailing list.

Speaking of tunneling overhead, it will closely depend on which
tunneling techno you use (defines additionnal header, compression and
encryption) and the medium that supports the tunnel (defines MTU). Most
of the time, overhead is very low. IPIP tunneling will use one more IP
header, GRE tunnel a couple of bytes more, etc., and regarding a 1500
bytes MTU, we're still around 2% or 3% of overhead one full frame,
without any compression or encryption. Now you can use stuff like PPP
over SSL that has overhead, compression and encryption, SSH stuff or
IPSEC stuff, or whatever you may want to use :)

So you have three things :

        . header overhead
        . compression (that can beat the overhead) [1]
        . encryption

I would be more worry by the computing time necessary to decapsulate
packets if you use compression or encryption, and the latency (and maybe
packet loss) it can induce.


[1] I remember a time when it was faster for me to read my mail via POP
    over SSH than plain clear just because SSH uses compression. When
    security meet end-user needs ;)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: tunneling and iptables

[Babar Kazmi]

 
Dear 

I would just like to know if kernel can handle 2000 logical interfaces, 
If some know can comment about this I would be thankful.

Regards 

Babar Kazmi


 > but with my design I will have around 2000~  tunnels created (i know 
 > this sounds crazy).. will the kernel be able to handle this or is this 
 > too much of an overhead .... leaving aside the start up overhead, 
 > during the actual forwarding is there any overhead besides the extra 
 > ip header being attached.... 
>