Re: NM and IETF MIF working group

From: Xen <list xenhideout nl>
To: networkmanager-list gnome org
Subject: Re: NM and IETF MIF working group
Date: Mon, 28 Sep 2015 13:11:48 +0200 (CEST)

Just want to say that I have been trying (in OpenSUSE) to get a rathersimple scenario working, but failed, probably due to kernel mechanics:


- main connection receives all traffic destined for port 80, 443.
- VPN receives all else.

I just consider it a more special case of directing VPN traffic to onlythe VPN network (no forwarding/routing at the end node).


It required a few simple steps:
- tag (SYN) packages for 80,443 with a mark
- use the fwmark as an iproute rule
- the rule sends the traffic to a different routing table

Unfortunately although the routing seems to work, the traffic getsreturned but not progressed by the kernel apparently due to some blockingor safety measure. I could not get around it, though I tried everything Icould find on the web.


A fourth step that may be required is:

- snat the outgoing packages to match the interface they are now sent outon (meaning to match its ip address) such that a reverse route willcoincide with the outgoing route that the kernel/routing system has chosenfor the outgoing packets.

I thought it was going to be a simple thing to setup and though I spenteasily 4-5 hours on it, I could not get it to work.

Perhaps if this seems an interesting or important use case, someone who ismore knowledgeable than me could look into it? It seems rather... that itwould look really bad on Linux if this common use case is a nearimpossibility due to kernel mechanics or security measures, or whateverelse is causing it. Not sure how else to phrase it. I mean that it wouldnot be a selling point, that sort of stuff.

You could even integrate it into NM if it did work. "Route only selectedports over this VPN" or "Route everything except selected ports over thisVPN". Would really be awesome.


Just wanted to say that.

Regards, Bart.


On Mon, 28 Sep 2015, David Woodhouse wrote:

On Mon, 2015-09-07 at 12:05 +0200, Stjepan Groš wrote:


Two colleagues of mine and I started to work on MIF implementation on
Fedora. In case someone doesn't know, IETF MIF working group (
https://datatracker.ietf.org/wg/mif/charter/) tries to solve the
problems of a single node having multiple parallel connections to
different destinations (Internet, VPN, some private networks, etc.).

References:
- NM and IETF MIF working group
  - From: Stjepan Groš
- Re: NM and IETF MIF working group
  - From: David Woodhouse

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]