Home page logo

nanog logo nanog mailing list archives

Re: VRF/MPLS on Linux
From: Jared Mauch <jared () puck nether net>
Date: Wed, 24 Aug 2011 10:28:21 -0400

On Aug 24, 2011, at 6:06 AM, Brian Raaen wrote:

The only issue with this is that the Linux box is not acting as a router, but as the egress devices.  I'm trying to 
figure out how to properly get my application to 'color' the traffic.  standard BSD sockets appear to have no concept 
of 'Labels'.  Still seeing what I can do to match the traffic.  I am probably going to see if I can work out a hack 
with the development team to use DSCP values to tag the traffic and then act accordingly on the ingress router.  I 
appreciate all the ideas presented so far.                                   

You can classify this in the OUTPUT or POSTROUTING table with ipchains.  Take a look at the man page for it.  There's 
lots of information online about how to do this.  I recall a sysadmin who I worked with 15 years ago that thought of 
routers as the black boxes that got their packets around, but a little bit of understanding of these lower levels of 
the kernel/networks will go a long way.

Some help:

INPUT (for packets destined to local sockets)
FORWARD (for packets being routed through the box)
OUTPUT (for locally-generated packets; for altering locally-generated packets before routing)
PREROUTING (for altering packets as soon as they come in)
POSTROUTING (for altering packets as they are about to go out)

http://linux-ip.net/html/adv-multi-internet.html should also prove useful in your research.  You likely are going to 
end up using the localhost fwmark/mark.  Some tools show this number in hex, others decimal, so keep this in mind 
during your debug process.

- Jared

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]