(unknown)

(unknown)

["Mario Hülsegge"]

hi,

i am trying to set up routing of all outgoing http-requests on my 
workstation through my openvpn gateway (tun0). the web told me to do it:

iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 4
ip rule add fwmark 4 lookup 3
ip route add default dev tun0 table 3


the problem is that it does not work. tcpdump gives me:

00:28:00.461045 IP (tos 0x0, ttl  64, id 28447, offset 0, flags [DF], 
proto: UDP (17), length: 71) 192.168.0.125.1049 > vroot.domain: [udp sum 
ok]  62654+ PTR? 67.11.71.195.in-addr.arpa. (43)
00:28:00.515190 IP (tos 0x0, ttl  56, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 127) vroot.domain > 192.168.0.125.1049:  62654 NXDomain 
q: PTR? 67.11.71.195.in-addr.arpa. 0/1/0 ns: 71.195.in-addr.arpa. (99)
00:28:01.459744 arp who-has 195.71.11.67 tell 192.168.0.125
00:28:02.459844 arp who-has 195.71.11.67 tell 192.168.0.125


the arp-requests dont seem to be right, any suggestions?

Mario
-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger

Re: Port-based routing with OpenVPN

[Pascal Hambourg]

Hello,

Mario Hülsegge a écrit :
> 
> i am trying to set up routing of all outgoing http-requests on my 
> workstation through my openvpn gateway (tun0). the web told me to do it:
> 
> iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 4
> ip rule add fwmark 4 lookup 3
> ip route add default dev tun0 table 3

Looks fine.

> the problem is that it does not work. tcpdump gives me:
> 
> 00:28:00.461045 IP (tos 0x0, ttl  64, id 28447, offset 0, flags [DF], 
> proto: UDP (17), length: 71) 192.168.0.125.1049 > vroot.domain: [udp sum 
> ok]  62654+ PTR? 67.11.71.195.in-addr.arpa. (43)
> 00:28:00.515190 IP (tos 0x0, ttl  56, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 127) vroot.domain > 192.168.0.125.1049:  62654 NXDomain 
> q: PTR? 67.11.71.195.in-addr.arpa. 0/1/0 ns: 71.195.in-addr.arpa. (99)
> 00:28:01.459744 arp who-has 195.71.11.67 tell 192.168.0.125
> 00:28:02.459844 arp who-has 195.71.11.67 tell 192.168.0.125

Was this trace captured on interface tun0 ?
Please use option -n so addresses and port numbers are not converted 
into confusing names.
What is the address of vroot ? Is it the other end of the VPN ?
Is the OpenVPN link configured in TUN (IP) or TAP (ethernet) mode ? The 
interface name tun0 suggests TUN mode, but the ARP requests suggest TAP 
mode. If it is TAP mode, you must specify the gateway address in the ip 
route statement just as you would do with a gateway on an ethernet link.

Re: Port-based routing with OpenVPN

[Mario Hülsegge]

Hi,

and thank you for answering despite the fact i forgot to set a
subject :)

> Was this trace captured on interface tun0 ?
yes

> What is the address of vroot ? Is it the other end of the VPN ?
no, it is just my dns-server that has nothing to do with the vpn.

> Is the OpenVPN link configured in TUN (IP) or TAP (ethernet) mode ?
it is in tun mode, i have no idea why it acts like in tap mode.

Mario

(unknown),

[David Boulding]

unsubscribe netfilter

Re: Port-based routing with OpenVPN

[Mario Hülsegge]

Am Sonntag, den 16.09.2007, 13:05 +0200 schrieb Pascal Hambourg:

> 
> > the problem is that it does not work. tcpdump gives me:
> > 
> > 00:28:00.461045 IP (tos 0x0, ttl  64, id 28447, offset 0, flags [DF], 
> > proto: UDP (17), length: 71) 192.168.0.125.1049 > vroot.domain: [udp sum 
> > ok]  62654+ PTR? 67.11.71.195.in-addr.arpa. (43)
> > 00:28:00.515190 IP (tos 0x0, ttl  56, id 0, offset 0, flags [DF], proto: 
> > UDP (17), length: 127) vroot.domain > 192.168.0.125.1049:  62654 NXDomain 
> > q: PTR? 67.11.71.195.in-addr.arpa. 0/1/0 ns: 71.195.in-addr.arpa. (99)
> > 00:28:01.459744 arp who-has 195.71.11.67 tell 192.168.0.125
> > 00:28:02.459844 arp who-has 195.71.11.67 tell 192.168.0.125
> 
> Was this trace captured on interface tun0 ?
 i am sorry, i confused the tcpdump output with another test on a normal
eth device, this is the capture on tun0:

23:47:54.378123 IP 192.168.0.125.3794 > ha-42.web.de.www: S
471744113:471744113(
0) win 5840 <mss 1460,sackOK,timestamp 7974928 0,nop,wscale 3>
23:47:57.377790 IP 192.168.0.125.3794 > ha-42.web.de.www: S
471744113:471744113(
0) win 5840 <mss 1460,sackOK,timestamp 7975678 0,nop,wscale 3>
23:48:03.378327 IP 192.168.0.125.3794 > ha-42.web.de.www: S
471744113:471744113(
0) win 5840 <mss 1460,sackOK,timestamp 7977178 0,nop,wscale 3>
23:48:15.379418 IP 192.168.0.125.3794 > ha-42.web.de.www: S
471744113:471744113(
0) win 5840 <mss 1460,sackOK,timestamp 7980178 0,nop,wscale 3>

the answer seems to be blocked in some way.. suggestions?

Re: Port-based routing with OpenVPN

[Pascal Hambourg]

Mario Hülsegge a écrit :
> 
>  i am sorry, i confused the tcpdump output with another test on a normal
> eth device, this is the capture on tun0:
> 
> 23:47:54.378123 IP 192.168.0.125.3794 > ha-42.web.de.www: S 471744113:471744113(0) win 5840 <mss 1460,sackOK,timestamp 7974928 0,nop,wscale 3>
[etc.]
> the answer seems to be blocked in some way.. suggestions?

First, can you check on the VPN gateway that the request is received and 
forwarded to the destination server ?

Then, check the return path routing. One step would be to set the 
default route through the VPN and check that everything works well.

I see that your workstation source address, 192.168.0.125, is the same 
as in the capture on the ethernet device, and probably different from 
the tun0 address. This is normal, because the source address selection 
occurs before the port based routing is taken into account. However if 
the VPN gateway has no route to your source address, replies cannot come 
back. You may need to add an iptables SNAT or MASQUERADE rule for 
packets leaving the tun0 interface. Beware that with older kernels 
MASQUERADE may not work well with advanced routing.

Also, if the source address is a private address, the VPN gateway must 
perform SNAT or MASQUERADE on packets forwarded from the VPN to the 
public network.

Finally, check that /proc/sys/net/ipv4/conf/tun0/rp_filter = 0, else 
your workstation routing may drop the replies arriving at tun0 (although 
tcpdump would see them).

Re: Port-based routing with OpenVPN

[Mario Hülsegge]

Am Mittwoch, den 26.09.2007, 12:33 +0200 schrieb Pascal Hambourg:

> You may need to add an iptables SNAT or MASQUERADE rule for 
> packets leaving the tun0 interface. [...]
> 
> Finally, check that /proc/sys/net/ipv4/conf/tun0/rp_filter = 0, else 
> your workstation routing may drop the replies arriving at tun0 (although 
> tcpdump would see them).
> -

these 2 hints solved the problem, now all runs fine. i inserted a masq
rule before, but without setting rp_filter (who would ever thought of
THAT ;) ).

thank you very much for your help. 

Re: Port-based routing with OpenVPN

[Pascal Hambourg]

Mario Hülsegge a écrit :
> 
> these 2 hints solved the problem, now all runs fine. i inserted a masq
> rule before, but without setting rp_filter

The kernel disables rp_filter by default, but the startup scripts 
provided by some distributions enable it.

> (who would ever thought of THAT ;) ).

The practical answer is : anyone who experienced the problem once does. 
Trust me.

The theoretical answer is : anyone using iproute should, because it is a 
common issue documented in the Linux Advanced Routing & Traffic Control 
HOWTO, and probably elsewhere. I myself hesitated to mention it and did 
it only for completeness because it could not be the only cause of your 
problem : tcpdump would have seen the replies even though the kernel had 
dropped them.

(unknown),

[李伟华]

when i was patched kernel 2.6.23.1 and iptables-1.3.8 with last path-o-matic's patchlet connlimit and run compile iptables by  "make KERNEL_DIR=../linux-2.6.23.1/  " , there some error appear :


Extensions found: IPv4:CLUSTERIP IPv4:NFLOG IPv4:condition IPv4:connbytes IPv4:connlimit IPv4:dccp IPv4:ipp2p IPv4:layer7 IPv4:quota IPv4:recent IPv4:statistic IPv4:string IPv6:NFLOG IPv6:REJECT IPv6:ah IPv6:esp IPv6:frag IPv6:hashlimit IPv6:ipv6header IPv6:mh IPv6:rt IPv6:sctp
cc -O2 -Wall -Wunused -I../linux-2.6.23.1//include -Iinclude/ -DIPTABLES_VERSION=\"1.3.8\"  -fPIC -o extensions/libipt_connlimit_sh.o -c extensions/libipt_connlimit.c
In file included from ../linux-2.6.23.1/include/asm/bitops.h:9,
                 from ../linux-2.6.23.1/include/linux/bitops.h:9,
                 from /usr/include/linux/netfilter_ipv4/ip_conntrack.h:9,
                 from extensions/libipt_connlimit.c:9:
../linux-2.6.23.1/include/asm/alternative.h:9: error: syntax error before "u8"
../linux-2.6.23.1/include/asm/alternative.h:11: error: syntax error before "cpuid"
../linux-2.6.23.1/include/asm/alternative.h:12: error: syntax error before "instrlen"
../linux-2.6.23.1/include/asm/alternative.h:13: error: syntax error before "replacementlen"
../linux-2.6.23.1/include/asm/alternative.h:14: error: syntax error before "pad"
In file included from ../linux-2.6.23.1/include/linux/bitops.h:9,
                 from /usr/include/linux/netfilter_ipv4/ip_conntrack.h:9,
                 from extensions/libipt_connlimit.c:9:
../linux-2.6.23.1/include/asm/bitops.h:244: error: syntax error before "int"
In file included from ../linux-2.6.23.1/include/linux/cpumask.h:86,
                 from ../linux-2.6.23.1/include/asm/processor.h:22,
                 from ../linux-2.6.23.1/include/asm/atomic.h:5,
                 from /usr/include/linux/netfilter_ipv4/ip_conntrack.h:11,
                 from extensions/libipt_connlimit.c:9:
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_zero':
../linux-2.6.23.1/include/linux/bitmap.h:134: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h:134: error: (Each undeclared identifier is reported only once
../linux-2.6.23.1/include/linux/bitmap.h:134: error: for each function it appears in.)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_fill':
../linux-2.6.23.1/include/linux/bitmap.h:149: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_copy':
../linux-2.6.23.1/include/linux/bitmap.h:155: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_and':
../linux-2.6.23.1/include/linux/bitmap.h:166: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_or':
../linux-2.6.23.1/include/linux/bitmap.h:175: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_xor':
../linux-2.6.23.1/include/linux/bitmap.h:184: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_andnot':
../linux-2.6.23.1/include/linux/bitmap.h:193: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_complement':
../linux-2.6.23.1/include/linux/bitmap.h:202: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_equal':
../linux-2.6.23.1/include/linux/bitmap.h:211: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_intersects':
../linux-2.6.23.1/include/linux/bitmap.h:220: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_subset':
../linux-2.6.23.1/include/linux/bitmap.h:229: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_empty':
../linux-2.6.23.1/include/linux/bitmap.h:237: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_full':
../linux-2.6.23.1/include/linux/bitmap.h:245: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_weight':
../linux-2.6.23.1/include/linux/bitmap.h:253: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_shift_right':
../linux-2.6.23.1/include/linux/bitmap.h:261: error: `BITS_PER_LONG' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/bitmap.h: In function `bitmap_shift_left':
../linux-2.6.23.1/include/linux/bitmap.h:270: error: `BITS_PER_LONG' undeclared (first use in this function)
In file included from ../linux-2.6.23.1/include/asm/processor.h:22,
                 from ../linux-2.6.23.1/include/asm/atomic.h:5,
                 from /usr/include/linux/netfilter_ipv4/ip_conntrack.h:11,
                 from extensions/libipt_connlimit.c:9:
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:88: error: syntax error before "DECLARE_BITMAP"
../linux-2.6.23.1/include/linux/cpumask.h:89: error: syntax error before "_unused_cpumask_arg_"
../linux-2.6.23.1/include/linux/cpumask.h:92: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpu_set':
../linux-2.6.23.1/include/linux/cpumask.h:94: error: `cpu' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:94: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:98: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpu_clear':
../linux-2.6.23.1/include/linux/cpumask.h:100: error: `cpu' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:100: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:104: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_setall':
../linux-2.6.23.1/include/linux/cpumask.h:106: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:106: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:110: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_clear':
../linux-2.6.23.1/include/linux/cpumask.h:112: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:112: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:119: error: syntax error before "cpumask_t"
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpu_test_and_set':
../linux-2.6.23.1/include/linux/cpumask.h:121: error: `cpu' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:121: error: `addr' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:125: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_and':
../linux-2.6.23.1/include/linux/cpumask.h:128: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:128: error: `src1p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:128: error: `src2p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:128: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:132: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_or':
../linux-2.6.23.1/include/linux/cpumask.h:135: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:135: error: `src1p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:135: error: `src2p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:135: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:139: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_xor':
../linux-2.6.23.1/include/linux/cpumask.h:142: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:142: error: `src1p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:142: error: `src2p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:142: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:147: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_andnot':
../linux-2.6.23.1/include/linux/cpumask.h:150: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:150: error: `src1p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:150: error: `src2p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:150: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:154: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_complement':
../linux-2.6.23.1/include/linux/cpumask.h:157: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:157: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:157: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:161: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_equal':
../linux-2.6.23.1/include/linux/cpumask.h:164: error: `src1p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:164: error: `src2p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:164: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:168: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_intersects':
../linux-2.6.23.1/include/linux/cpumask.h:171: error: `src1p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:171: error: `src2p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:171: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:175: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_subset':
../linux-2.6.23.1/include/linux/cpumask.h:178: error: `src1p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:178: error: `src2p' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:178: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:182: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_empty':
../linux-2.6.23.1/include/linux/cpumask.h:184: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:184: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:188: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_full':
../linux-2.6.23.1/include/linux/cpumask.h:190: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:190: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:194: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_weight':
../linux-2.6.23.1/include/linux/cpumask.h:196: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:196: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:201: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_shift_right':
../linux-2.6.23.1/include/linux/cpumask.h:204: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:204: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:204: error: `n' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:204: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:209: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_shift_left':
../linux-2.6.23.1/include/linux/cpumask.h:212: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:212: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:212: error: `n' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:212: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:216: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h:218: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h:271: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpumask_scnprintf':
../linux-2.6.23.1/include/linux/cpumask.h:273: error: `buf' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:273: error: `len' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:273: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:273: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:279: error: syntax error before "cpumask_t"
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpumask_parse_user':
../linux-2.6.23.1/include/linux/cpumask.h:281: error: `buf' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:281: error: `len' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:281: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:281: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:287: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpulist_scnprintf':
../linux-2.6.23.1/include/linux/cpumask.h:289: error: `buf' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:289: error: `len' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:289: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:289: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:293: error: syntax error before "cpumask_t"
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpulist_parse':
../linux-2.6.23.1/include/linux/cpumask.h:295: error: `buf' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:295: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:295: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:301: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpu_remap':
../linux-2.6.23.1/include/linux/cpumask.h:303: error: `oldbit' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:303: error: `oldp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:303: error: `newp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:303: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:308: error: syntax error before '*' token
../linux-2.6.23.1/include/linux/cpumask.h: In function `__cpus_remap':
../linux-2.6.23.1/include/linux/cpumask.h:311: error: `dstp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:311: error: `srcp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:311: error: `oldp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:311: error: `newp' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h:311: error: `nbits' undeclared (first use in this function)
../linux-2.6.23.1/include/linux/cpumask.h: At top level:
../linux-2.6.23.1/include/linux/cpumask.h:380: error: syntax error before "cpu_possible_map"
../linux-2.6.23.1/include/linux/cpumask.h:381: error: syntax error before "cpu_online_map"
../linux-2.6.23.1/include/linux/cpumask.h:382: error: syntax error before "cpu_present_map"
../linux-2.6.23.1/include/linux/cpumask.h:403: error: syntax error before '*' token
In file included from ../linux-2.6.23.1/include/asm/atomic.h:5,
                 from /usr/include/linux/netfilter_ipv4/ip_conntrack.h:11,
                 from extensions/libipt_connlimit.c:9:
../linux-2.6.23.1/include/asm/processor.h:73: error: syntax error before "cpumask_t"
../linux-2.6.23.1/include/asm/processor.h:83: error: syntax error before '}' token
../linux-2.6.23.1/include/asm/processor.h:599: error: `cpuid' redeclared as different kind of symbol
../linux-2.6.23.1/include/asm/alternative.h:11: error: previous declaration of `cpuid'
make: *** [extensions/libipt_connlimit_sh.o] Error 1

_________________________________________________________________
手机也能上 MSN 聊天了，快来试试吧！
http://mobile.msn.com.cn/

(unknown)

[Ryan Rodriguez]

Mon Dec 10 17:53:00 CST 2007 0.56

(unknown),

[Joe Ruddy]

Hello,

We are moving to a Co-Location center and will need to forward all traffic
for all our IP to our new IP addresses.

As an example our block is 12.24.15.0/24

Our new block will be 54.64.18.0/24

If we have a webserver at 12.24.15.24 I would like all requests to
12.24.15.24 to be forwarded to 54.64.18.24 where the new machine will be
located.
If we have a mailserver at 12.24.15.19 I would like all requests to
12.24.15.19 to be forwarded to 54.64.18.19 where the new machine will be
located.

I add one rule ..."iptables -t nat -A PREROUTING -d 12.24.15.24 -j DNAT --to
54.64.18.24"

If I try to ssh or go to the website hosted there I get nothing.  I can see
that the requests arrive at 54.64.18.24 by looking at the logs.

Any ideas?

Thanks

Joe

Joe Ruddy
Director of Technology
Novapointe LLC
909-930-3062 x2738
jruddy@novapointe.com 

(unknown),

[Bikash Bhattarai]

(unknown),

[Videal ,)]

 unsubscribe netfilter

(unknown)

[Alberto Díez]

hi!
 
 I am trying to make use of a large number of rules
 with iptables. 
 
 I have seen there are some optimizations referenced
 like nf-HiPAC (www.hipac.org) , iptables with
 classifiers (www.geocities.com/hamidreza_jm) which
 appearently can deal with thousands of rules (thats
 what i need).
 
 I want per flow (orig addr,dst addr, orig port, dst
 port, proto) filtering thats why i don´t think i can
 use ipsets (or can i?)
 I also would like to have the nice iptables features
 like  mangle table and counters ..
 
 I dont really understand what the conntrack does, or
 if it can somehow helpme (where is the nice
 documentation about this??)
 
 What is the netfilter preferred way to have a large
 set of rules and still do packet filtering?  are
 HiPAC, iptables with classifiers or any other
 solution
 actual?
 
 is there a howto,manual,some kind of
 documentation, all that I find about this are quite
 old (3 years?) material in the mailing list ... Is
 this problem already solved? what was the solution
 taken?
 
 
 well if you could answer any of this questions i
 would
 be very thankful
 
 Alberto Diez
 
 
      


      ______________________________________________ 
Enviado desde Correo Yahoo!
Disfruta de una bandeja de entrada más inteligente. http://es.docs.yahoo.com/mail/overview/index.html

(unknown),

[David Boulding]

Hey all,

I'm developing with libnetfilter_queue, using "iptables -A FORWARD ." to
capture packets of interest on a bridge for analysis (firewall). 
I use nfq_get_payload() to grab everything from the IP layer and on, but I
was wondering if there was any way to get the raw MAC layer. 
Is there any command like nfq_get_payload() that will return everything
similar to what you would get using wireshark or ethereal?

Thanks,

Dave

(unknown)

[Sebastian Seemann]

Hi,

I would like to DROP all connections from IPs originating in a specified country. Of course, the geoip extension is a perfect fit for that. My question is what happens if I do this:

iptables -P INPUT DROP
iptables -A INPUT -m geoip ! --src-cc [country] -j ACCEPT

What happens if an IP is not found in the geoip-database, so it has no country-code at all? Is it accepted or not?
I would suppose it is accepted and, since I wanna be sure, would be thankful for a workaround simpler than adding every country in the world but the forbidden one.

Best Regards,
Sebastian
-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger

(unknown),

[Jianqing Zhang]

I use iptables to filter incoming packets with some particular
protocols, such as ICMP, and the target is QUEUE.

=============================

Chain INPUT (policy ACCEPT)
target prot opt source destination
QUEUE icmp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

============================

How can I check the packets are filtered and put in the QUEUE?

Thanks

(unknown),

[Martin Spinassi]

subscribe netfilter

(unknown),

[Jorge Bastos - Decimal]

help

(unknown)

[Tarak Ranjan]

free trial
http://strongerbetterandbigger.ru/trial2/

(unknown),

[Chris]

All,

I'm using 4.4.0-89-generic #112-Ubuntu Kernel.

I've setup a bridge

bridge name        bridge id                STP enabled        interfaces
br0                8000.00322e111b2        no                enp3s0
                                                        vnet0

Why is it possible to DROP packages from a KVM guest on the host INPUT
chain, but not to LOG them?

I've not loaded any bridge-nf modules. bridge/nf_call_iptables is 0.

- Chris