add section how to set the port and ip addresses for fou

Signed-off-by: Marek Küthe <m.k@mk16.de>
This commit is contained in:
Marek Küthe 2023-01-03 02:32:28 +01:00
parent 1455755292
commit 22b7950058
No known key found for this signature in database
GPG Key ID: 7E869146699108C7
1 changed files with 27 additions and 5 deletions

View File

@ -82,6 +82,20 @@ The currently used ports can be displayed with the following command:
ip fou show
```
If you want to stop using a port for FOU, you can use the following command:
```
ip fou del port <lport>
```
If the error message `RTNETLINK answers: Invalid argument` appears when stop using a port, this may be because you have not specified exactly which port should not be longer used. If you want to not using a port anymore, you must specify the same parameters as you did when you created it:
```
$ ip fou show
port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002
$ ip fou del port 5001
RTNETLINK answers: Invalid argument
$ ip fou del port 5001 gue local 192.168.179.2 peer 192.168.179.3 peer_port 6002
```
If you get the following error message, you can try to load the FOU kernel module:
```
RTNETLINK answers: No such file or directory
@ -110,11 +124,6 @@ ip link add <interface> type gre remote <remote> local <local> ttl 255 encap fou
```
Replace `<rport>` with the remote port of your peer.
If you want to stop using a port for FOU, you can use the following command:
```
ip fou del port <lport>
```
### Generic UDP Encapsulation (GUE)
Use the following command to enable FOU for a port:
@ -127,3 +136,16 @@ Add the following command to the actual tunnel command:
```
encap gue encap-dport <rport>
```
### Set souce port and IP addresses manually
To set the souce port and IP addresses of both peers, there are three additional parameters for fou and one for tunnel:
```
ip fou add port <lport> [gue|ipproto <proto>] peer_port <rport> local <local> peer <remote>
```
```
ip link add [...] encap [...] encap-sport <lport>
```
Here `<lport>` is the own port and `<rport>` is the port of the peer. `<local>` is its own IP address and `<remote>` is the IP address of the peer.
Specifying the source IP address can prevent an attacker with a wrong source IP address from sending an encapsulated tunnel packet (e. g. GRE or SIT) that has the correct source address in the UDP tunnel. However, this procedure does not protect against IP spoofing.