Re: NM and IETF MIF working group
- From: Xen <list xenhideout nl>
- To: networkmanager-list gnome org
- Subject: Re: NM and IETF MIF working group
- Date: Mon, 28 Sep 2015 13:11:48 +0200 (CEST)
Just want to say that I have been trying (in OpenSUSE) to get a rather
simple scenario working, but failed, probably due to kernel mechanics:
- main connection receives all traffic destined for port 80, 443.
- VPN receives all else.
I just consider it a more special case of directing VPN traffic to only
the VPN network (no forwarding/routing at the end node).
It required a few simple steps:
- tag (SYN) packages for 80,443 with a mark
- use the fwmark as an iproute rule
- the rule sends the traffic to a different routing table
Unfortunately although the routing seems to work, the traffic gets
returned but not progressed by the kernel apparently due to some blocking
or safety measure. I could not get around it, though I tried everything I
could find on the web.
A fourth step that may be required is:
- snat the outgoing packages to match the interface they are now sent out
on (meaning to match its ip address) such that a reverse route will
coincide with the outgoing route that the kernel/routing system has chosen
for the outgoing packets.
I thought it was going to be a simple thing to setup and though I spent
easily 4-5 hours on it, I could not get it to work.
Perhaps if this seems an interesting or important use case, someone who is
more knowledgeable than me could look into it? It seems rather... that it
would look really bad on Linux if this common use case is a near
impossibility due to kernel mechanics or security measures, or whatever
else is causing it. Not sure how else to phrase it. I mean that it would
not be a selling point, that sort of stuff.
You could even integrate it into NM if it did work. "Route only selected
ports over this VPN" or "Route everything except selected ports over this
VPN". Would really be awesome.
Just wanted to say that.
Regards, Bart.
On Mon, 28 Sep 2015, David Woodhouse wrote:
On Mon, 2015-09-07 at 12:05 +0200, Stjepan Groš wrote:
Two colleagues of mine and I started to work on MIF implementation on
Fedora. In case someone doesn't know, IETF MIF working group (
https://datatracker.ietf.org/wg/mif/charter/) tries to solve the
problems of a single node having multiple parallel connections to
different destinations (Internet, VPN, some private networks, etc.).
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]