[Planetlab-users] Summary of virtual-network related issues

Giovanni Di Stasi gdistasi at gmail.com
Tue Jul 15 07:22:54 EDT 2008 

On Friday 11 July 2008 15:36:30 Sapan Bhatia wrote:
> Hi,
>
> This is just to let everyone who's complained about tcpdump not
> working as expected know of the timeline for a solution to their
> problem. If there's a deadline coming up for which you'd like any of
> these accelerated, then please let me know. I'm hopeful that we'll be
> able to resolve this set of issues in the next couple of days.
>
> [TODO]
>
> * TCP payloads for accept()ed sockets don't show up in tcpdump, even
> though headers do
> * TCP-related ICMP-error messages don't show up on nodes
>
> [Already tagged the next RC]
>
> * TCP handshakes don't show up in tcpdump
>   [checked in a vsys module for slices that need this functionality]
> * TUN/TAP support
>
>
> Sapan
>
> _______________________________________________
> Users mailing list: Users at lists.planet-lab.org
> https://lists.planet-lab.org/mailman/listinfo/users

Hi Sapan,

we're still having issues with the mark of packets (the mark that says to 
which sliver packets belong). This marking seems to be working only for 
filtering purposes: iptables rules that DROP, ACCEPT, etc. packets of a 
specific sliver work as expected.

Things do not work as expected when trying to route packets depending on the 
mark. Rules like the following, that specifies that packets marked with the id 
of the sliver must be routed depending on the rules of my_own_table, do not 
work:
ip rule add fwmark `id -u sliverA` table my_own_table

Oddly enough, if we use iptables to mark again packets, things almost work. We 
used this rule to capture packets belonging to a sliver and mark them 
again: 

iptables -t mangle -A OUTPUT -m mark --mark `id -u sliverA` -j MARK
--set-mark 660

But here's the thing: you have to use a different mark (if you try to mark 
again with the slice id the trick doesn't work).

Another way for us to do the same thing is to use the "owner" module of 
iptables. With that module we capture packets of the sliver and then mark 
them:

iptables -t mangle -A OUTPUT -m owner --uid-owner `id -u sliverA` -j
MARK --set-mark 550

Even in this case you can't use the id of the slice to mark packets.

We didn't manage to understand what the problem is: we have suspects on the 
new --copy-xid target of iptables (could it be that it doesn't fill up 
properly all the involved kernel structures, so the netfilter part of the 
kernel recognizes the mark and the kernel code that deal with the routing 
doesn't?). We have been stuck on this problem for a while, so any hints is 
very appreciated. Thanks.


-- 
Giovanni Di Stasi, Junior Researcher
Dipartimento di Informatica e Sistemistica
Università degli Studi di Napoli "Federico II"
Via Claudio, 21 - 80125 Napoli - Italy

Phone:    +39 081 7683821
Fax:      +39 081 7683816
E-mail:   giovanni.distasi at unina.it

More information about the Users mailing list