Re: NM and IETF MIF working group

Just want to say that I have been trying (in OpenSUSE) to get a rather simple scenario working, but failed, probably due to kernel mechanics:

- main connection receives all traffic destined for port 80, 443.
- VPN receives all else.

I just consider it a more special case of directing VPN traffic to only the VPN network (no forwarding/routing at the end node).

It required a few simple steps:
- tag (SYN) packages for 80,443 with a mark
- use the fwmark as an iproute rule
- the rule sends the traffic to a different routing table

Unfortunately although the routing seems to work, the traffic gets returned but not progressed by the kernel apparently due to some blocking or safety measure. I could not get around it, though I tried everything I could find on the web.

A fourth step that may be required is:
- snat the outgoing packages to match the interface they are now sent out on (meaning to match its ip address) such that a reverse route will coincide with the outgoing route that the kernel/routing system has chosen for the outgoing packets.

I thought it was going to be a simple thing to setup and though I spent easily 4-5 hours on it, I could not get it to work.

Perhaps if this seems an interesting or important use case, someone who is more knowledgeable than me could look into it? It seems rather... that it would look really bad on Linux if this common use case is a near impossibility due to kernel mechanics or security measures, or whatever else is causing it. Not sure how else to phrase it. I mean that it would not be a selling point, that sort of stuff.

You could even integrate it into NM if it did work. "Route only selected ports over this VPN" or "Route everything except selected ports over this VPN". Would really be awesome.

Just wanted to say that.

Regards, Bart.

On Mon, 28 Sep 2015, David Woodhouse wrote:

On Mon, 2015-09-07 at 12:05 +0200, Stjepan GroŇ° wrote:

Two colleagues of mine and I started to work on MIF implementation on
Fedora. In case someone doesn't know, IETF MIF working group ( tries to solve the
problems of a single node having multiple parallel connections to
different destinations (Internet, VPN, some private networks, etc.).

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]