| |
| |
| |
|
Page: 1 2
Comments:
<0> how can i see my rules in the mangle table?
<0> never mind
<0> got it
<1> where is the best place to talk ipv6 issues?
<2> if they're not netfilter-related, #ipv6
<3> can I loadbalance tcp connections with netfilter? and could I set some kind of affinity/persistence (keep state?)?
<1> I need to NAT ipv4 addresses into ipv6 addresses. :)
<1> source and destination addresses.
<1> how do you nat ipv4 traffic on one interface into ipv6 traffic out another interface?
<4> s34n: you need a proxy, either a simple tcp proxy or a "l7" proxy like squid
<1> I've seen examples that look like that they use |route| to add prefixes to ip addresses.
<5> Hi, I need help with layer7 and iptables. Can anyone help me?
<5> hello?
<6> Tosta: simply ask your question. If anyone knows they will help
<5> I'm geting a segfault with ipt_layer7.so ...
<5> I have a strace output
<6> Tosta: Can you post the strace on the web and give a link ?
<5> yes... please wait
<5> http://www.tosta.com.br/l7-strace.txt
<5> ipt_layer7.ko module loads without any warnings.
<6> Tosta: It seems beyond my scope. Hope someone looks into your strace and suggests something
<5> Hum... it's strange. I was rebuilt last Fedora kernel with layer7 patches and module loads fine. Later I was built iptables with layer7 extension without any warning too. But it don't work.
<2> anyone know what "kernel: ***ERT: CPU #0, filter comefrom(f8bb3090) = 2" is? I get it when running ip6tables-restore on 2.6.16-rc3
<7> good evening everyone
<8> gug
<9> gug
<10> gug
<11> gug
<12> gug
<13> hello all...im tring to use -m string but im getting the follow error: iptables: No chain/target/match by that name when I try to add this: iptables -A FORWARD -s 192.168.1.31 -p tcp -m string --string 'msn' -o eth2 -j REJECT. when I type this: iptables -m string -help, I get STRING match v1.3.3 options - --string [!] string Match a string in a packet....what im doing wrong ?
<12> lzsilva, try to run: modprobe -l | grep string
<12> what does it print ?
<13> nothing....I have one /lib/iptables/libipt_string.so
<12> yeah so you are missing the kernel module then
<12> it should have one line with ipt_string.ko
<12> or similar
<12> (you need both libipt_xxx.so and ipt_xxx.ko (or .o for 2.4) for it to work
<13> hmmm....ok...i need the patch-o-matic-ng....right ?
<12> or.. unless you compiled it into the kernel
<12> possibly yeah
<13> ok xkr47...thanks a lot !!
<12> :)
<14> hi
<14> if I want all my tcp packet use a specific source port (or port range), do I use the SNAT target with --to in postrouting?
<15> yeah
<14> I tried somthing like iptables -A POSTROUTING -t nat -o eth0 -p tcp -j SNAT --to 10.2.2.5:1234 (local ip is 10.2.2.5)
<14> It seems not to be that :\
<14> I don't even see anything with tcpdump
<14> pebkac for sure but.. :)
<15> btw, why the hell you should want that?
<14> for fun :)
<15> and you CAN'T snat ALL traffic like that
<9> LaF0rge: I wonder if the stuck packets in nfnetlink_queue could possibly in some way be related to what I observed when I patched the old ctnetlink code to perform tuple based lookup. I used that in a identd daemon in order to proxy ident-requests. I wrote a small test-program that just performed lookups of a specific tuple in conntrack in a tight loop.
<9> LaF0rge: it ran fine when I ran one copy of the testprogram, but when I ran two it would run fine for a few minutes, up to an hour and then both processes would stop running, just sitting there waiting for the responses from ctnetlink
<9> LaF0rge: they could sit there for hours without any one of them receiving the reply it was waiting for
<14> arturaz: hmm ok
<9> LaF0rge: and there's the weird thing... if I killed _one_ of the two processes running the testprogram, the _other_ process would receive the reply it had been waiting for so long and continue looping as if nothing had happened
<15> fosco, imagine 2 ESTABLISHED connection originating from same port..
<9> LaF0rge: then I could start up the second copy (recently killed) of the testprogram again and they would both loop just fine until it would deadlock again
<14> fatal
<9> LaF0rge: this was an 2way SMP machine running two processes generating about 110.000/s requests each
<9> LaF0rge: I remember that I didn't investigate it very much, all my attempts to add some logging slowed things down enough to make it really hard to reproduce the problem
<14> and in fact it works for the first connection
<9> fosco: you mean the first connection to the same destination ip and destination port?
<9> that should work yes, but not the second
<14> arturaz: yep
<15> what's yep?
<14> yes
<11> gug
<8> re
<8> gandalf: just reading the backlog
<8> gandalf: bug 404 (stuck packets) has vanished
<8> gandalf: the original reporter can't reproduce it with current svn library versions anymore
<8> gandalf: neither can I trigger it
<8> btw: is there a libnetfilter_conntrack supporting idetnd available somwhere?
<9> LaF0rge: not that I know of, oidentd should be easy to modify, that's the one I added ctnetlink support to in the "old days"
<9> LaF0rge: it has very simple code
<9> LaF0rge: I still have that code in production, it works great
<9> LaF0rge: I should rewrite the testprogram to use libnetfilter_conntrack and see if I still get the same problem, I probably wont but it would be good to test
<8> yes, testing is always good
<12> evening all
<10> hello
<12> how are we today?
<10> in one word: fine
<10> a little more detailed answer: not so fine :)
<10> SIP is not goot for your health
<12> :P
<10> the more phones, clients, softswitches, etc. I try the more convinced I am that it's horrible :)
<12> :)
<10> todays top-notch client was MSN Messenger
<12> weeh
<10> needless to say how impressed I was ;)
<12> "finally someone understood the specs correctly and did a reference implementation"
<10> it's so, so, so, so buggy
<16> who
<12> it's strange how they never test their products
<12> jengelh, me
<12> :)
<16> <Hidden:#netfilter> it's so, so, so, so buggy
<16> no, that one :)
<12> I could be an "it", couldn't I ?-)
<16> woha, -257 seconds time offset
<10> xkr47: :)
<10> xkr47: "It's every man's right to have babies if he wants them."
<12> jengelh, so what time zone does that make you in ?-)
<12> hidden, nice analogy :)
<10> xkr47: that sentence somehow reminded me of the Monty Python cl***ic "Life of Brian"
<10> xkr47: the part when Stan announces to the others that he wants to be a woman
<12> LaF0rge, good luck and hope it doesn't mess up your partition tables.. :P
<12> hidden :)
<8> xkr: mac-fdisk is a broken piece of non-64bit clean code
<10> xkr47: and that quote is his next sentence after the announcement :)
<10> LaF0rge: one of my workmates has just been installing a failover cluster consisting of a sparc64 and an amd64 firewall plus an additional i386 management machine
<12> LaF0rge & Hidden :)
<10> LaF0rge: the results were almost catastrophic
<12> heh
<10> LaF0rge: heartbeat does not work at all between the two fw nodes unless you use CRC as the "authentication" method
<10> all the others are endianness-sensitive...
<8> hidden: lol
<10> he also had some problems with openvpn
<9> Hidden: do you have an experience with vrrp or ucarp with linux?
<10> Gandalf_: not really, we usually use heartbeat with zorp
<10> Gandalf_: I've only used keepalived for my ct_sync playground
<9> Hidden: ok
<10> Gandalf_: but that was a long time ago...
<10> btw, heartbeat 2 is quite nice
<10> at least at a conceptual level
<10> it's finally possible to create a CLUSTERIP-based system with heartbeat
<8> great, a mixture of gentoo and debian patches does the trick
<10> LaF0rge: :)
<8> anyway I think I'd rather order another sata drive
<12> hehe
<8> "if you see liquid, unplug the computer and consult manual"
<8> boah, this beast compiles fast
<12> no risk of falling asleep while waiting .)
<17> LaF0rge: G5?
<8> jk: yes, just got my quad core
<8> so far I haven't even managed to get any self-compiled kernel to run
<8> now trying paulus' tree
<8> mh, in paulus' tree even his own windfarm_pm112 driver doesn't compile without missing symbols
<8> nope, and current powerpc.git also doesn't boot :(
<17> argh
<17> it's still early over here, benh/paulus should be online soonish :)
<8> mh, and I'll be in bed soon. anyway, I have more pressing issues than this new toy
<10> gub, I'm going to bed :)
<8> gub hidden
Return to
#netfilter
or
Go to some related
logs:
mplayer error while loading shared libraries libdirectfb gentoo
xen console ctrl-alt-f1
#mysql
#mysql
ubuntu direct rendering: No
#web
#oe
#javascript
howto remerge cairo
#linux
|
|