[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: How are tunneled interfaces masqueraded?
From:       Pascal Hambourg <pascal () plouf ! fr ! eu ! org>
Date:       2015-07-02 21:42:38
Message-ID: 5595B04E.2050801 () plouf ! fr ! eu ! org
[Download RAW message or body]

Glen Huang a écrit :
> Hi,
> 
> If I masquerade a pppoe interface that connects a host to its ISP,

Which interface exactly ?
There are two network interfaces involved in a PPPoE connection : the
ethernet interface (eth?) transmitting and receiving the encapsulating
PPPoE frames and the PPP interface (ppp?) transmitting and receiving the
encapsulated IP packets (or any other network protocol negotiated with a
NCP) of the PPP session.

> and although ethernet frames encapsulating ppp frames travel through
> this interface, netfilter digs into the ppp frames and translate the
> encapsulated IP packets. Is this correct?

If you masquerade packets going out the PPP interface ppp?, netfilter
doesn not have to dig into anything : the packets are plain IP packets,
so they are passed to iptables.

If you masquerade packets going out the ethernet interface eth?, the
packets are PPPoE frames, not IP packets, so netfilter will usually not
see them. The exception is if the ethernet interface is part of a
bridge, CONFIG_BRIDGE_NETFILTER is enabled in the kernel and the sysctls
net.bridge.bridge-nf-filter-pppoe-tagged and
net.bridge.bridge-nf-call-iptables are enabled. Then netfilter digs into
the PPPoE frames and passes the encapsulated IP packets to iptables.
Besides, I suspect that if the PPPoE frames are locally generated (i.e.
not bridged), the encapsulated IP packets have already been seen by
iptables POSTROUTING chain at the IP layer and had the opportunity to be
masqueraded, so another IP masquerading at the bridge layer is not possible.

> If so, what about the case where the ppp interface is tunneled?
> Let's take pptp for an example. If a ppp interface is created with pppd,
> then tunneled through GRE by pptpd, and i masquerade that ppp interface,
> as outbound packets travel through it, what packets are translated?
> The ones that travels in the virtual ppp interface or the ones that is
> generated by pptpd and get sent to the outside world?

The ones that travel through the PPP interface of course.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]