Bug 868391
Summary: | xl2tpd sends response packets from wrong IP address | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | James Moore <jtmoore> |
Component: | xl2tpd | Assignee: | Paul Wouters <pwouters> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | el5 | CC: | bbs2web, pwouters, timur |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | xl2tpd-1.3.6-1.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-05-21 23:27:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Moore
2012-10-19 17:29:10 UTC
I'll look into this. I think it would be good enough for you if xl2tpd answers using the ip it was contacted at. Is that correct? Paul Yes, you are correct. I just need the response to always come from the same ip that was contacted without having to specify the listen-addr in the config. Thanks for for looking into it. This problem is common to most stateless connections utilising UDP. It would be great if Paul could submit a patch to get xl2tpd to simply originate responses using the same IPs that requests arrived on. I am currently over coming this problem by logging connection requests and running a simple script every 2 minutes to add routing rules, which then results in the kernel sending UDP response packets using that device's IP address. The original purpose was to handle multiple concurrent SIP (VoIP) registrations on a multihomed system but it also works on L2TP tunnels. NB: This can not handle multiple concurrent connections on a multi homed systems where the originating IP is the same. Firewall rule: iptables -A INPUT -m state --state NEW -p udp --dport 1701 -j LOG --log-prefix "routeme:" iptables -A INPUT -m state --state NEW -p udp --dport 1701 -j ACCEPT /etc/cron.2minutes/udp-router #!/bin/sh set_route () { [ "$dev" == "" ] && return; [ `echo $ip | grep -Pc '^\d{1,3}(\.\d{1,3}){3}$'` -lt 1 ] && return; [ `route -n | grep "^$ip" | grep -cv "$dev$"` -gt 0 ] && route del -host $ip; route add -host $ip dev $dev 2> /dev/null; } # Find firewall log entries that match 'routeme:' and add a route via the last interface: ips=`tail -n 10000 /var/log/messages | grep 'routeme:' | perl -pe 's/.*SRC=(\d{1,3}(\.\d{1,3}){3}).*/\1/' | sort | uniq`; for ip in $ips; do dev=(`tail -n 10000 /var/log/messages | grep "routeme:.*SRC=$ip" | perl -pe 's/.*IN=(\S+).*/\1/' | tail -n 1`; set_route; done David, that's an interesting approach. I'm surprised it works though. How do the firewall and application on the other side of the connection recognize the response from a different ip address? David, I get it now, it forces the packet out the interface with the ip that the connection arrived on. This probably wouldn't work with IPSec in netkey mode though since the kernel wouldn't know that the packet belonged to an IPSec connection. I've started work on portinf his to recvfrom() recvfromto() I hit the same problem with xl2tpd 1.3.1 on Debian and was wondering - was there any progress on this bug? It seems, that development of xl2tpd now moved to https://github.com/xelerance/xl2tpd xl2tpd-1.3.6-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/xl2tpd-1.3.6-1.fc20 xl2tpd-1.3.6-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/xl2tpd-1.3.6-1.fc19 xl2tpd-1.3.6-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/xl2tpd-1.3.6-1.el6 Package xl2tpd-1.3.6-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xl2tpd-1.3.6-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6347/xl2tpd-1.3.6-1.fc19 then log in and leave karma (feedback). xl2tpd-1.3.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. xl2tpd-1.3.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. xl2tpd-1.3.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |