Interface not created until first L2TP session established.

L2TP related questions
Post Reply
tj-19
Posts: 36
Joined: 10 Jun 2019, 20:42

Interface not created until first L2TP session established.

Post by tj-19 »

I would like to setup various rules to disable connection tracking for the l2tp interface.

Normally I would do this by the interface name.

However, in ACCEL-PPP the interface is not created until the first session comes in.

I’ve set ifname=l2tp0%d to l2tp0 to make all interfaces l2tp0.

I then want to set:-
iptables -t raw -I PREROUTING -i l2tp0 -j CT --notrack
iptables -t raw -I OUTPUT -o l2tp0 -j CT –notrack

However, if I type:- ip route

I can see:- ‘default dev l2tp0 scope link metric 1’ does not exist before the first session comes in.

I know I can disable connection tracking via IP ranges, but this will create extra work.

Any ideas?
dimka88
Posts: 866
Joined: 13 Oct 2014, 05:51
Contact:

Re: Interface not created until first L2TP session established.

Post by dimka88 »

Hi @tj-19, why you can not use + char in this case?

Code: Select all

iptables -t raw -I PREROUTING -i l2tp+ -j CT --notrack
iptables -t raw -I OUTPUT -o l2tp+ -j CT –notrack
ifname=l2tp0%d this said that you will have l2tp00, l2tp01 ...
Also, does not possible to have the same name for the second interface
tj-19
Posts: 36
Joined: 10 Jun 2019, 20:42

Re: Interface not created until first L2TP session established.

Post by tj-19 »

Hi,

I'm using Ubuntu with a Xanmod Kernel 5.15.16-xanmod1

I've added the rules to my iptables as above. But a conntrack -D shows IP'a via the l2tp intefaces are still being tracked.

Any ideas how to fix this?
dimka88
Posts: 866
Joined: 13 Oct 2014, 05:51
Contact:

Re: Interface not created until first L2TP session established.

Post by dimka88 »

You have to check all rules, show me an output

Code: Select all

iptables -t raw -L -n -v
tj-19
Posts: 36
Joined: 10 Jun 2019, 20:42

Re: Interface not created until first L2TP session established.

Post by tj-19 »

Hi,

iptables -t raw -L -n -v

Chain PREROUTING (policy ACCEPT 99022 packets, 54M bytes)
pkts bytes target prot opt in out source destination
17109 4671K CT all -- l2tp+ * 0.0.0.0/0 0.0.0.0/0 CT notrack

Chain OUTPUT (policy ACCEPT 40338 packets, 44M bytes)
pkts bytes target prot opt in out source destination
0 0 CT all -- * l2tp+ 0.0.0.0/0 0.0.0.0/0 CT notrack


If I look at conntrack, I can still see the tracked sessions to IP's on the l2tp00, l2tp01 etc.

For example:-

conntrack -L |grep XXX.XXX.XXX.XXX

Any ideas why this is the case?
Post Reply