Play to Linux network namespace-single-machine self-loop test and Policy Routing

Source: Internet
Author: User

Last week, a manufacturer to the company to test, took a piece is said to be very fierce network processing accelerated PCIe Board card, carry in the hands of heavy weight, the most people are the fantasy is that 4 Wan mouth, so I can't wait to see the light port forwarding that kind of invisible shock.
But how to test with only 4 light ports? At least you have to have an "on-end" Ah! Anyone should not want to carry three machines in the customers run to test their forwarding performance, of course, you can not expect customers there must be you need "to end" equipment, such as our company does not have this and Wan port docking equipment, but who happened is, that day there is a device with Wan mouth, But it just happened. The best way to test is, of course, to not rely on any external devices, the obvious way is to do self-loops.
RJ45 the twisted pair of the mouth can do physical layer self-ring, 1/3,2/6 short, so a piece of the machine card can be both sent and received, but you can compare the hair slightly thicker fiber to do? The real practice, of course, is solved with software, which can be solved by using Netns on Linux, that is, net namespace.
Netns is a fun thing to do, which allows you to simulate multiple network devices on a single machine, meaning it is unusual:
1. Using Netns can make full use of idle processor resources, especially when the performance of your multi-card network voltage is not satisfied with the CPU;
2. Use Netns to isolate different types of network applications and implement different strategies for each class;
3. Using Netns is a bit of a virtualization idea, but more flexible than a virtual machine.
A net namespace has its own independent routing table, iptables policies, device management agencies, and other netns completely isolated, such as you add eth0 to netns1, then netns2 in the application will not see eth0, NIC Device management is just one element in Netns, and many, such as the iptables policy you configure in netns1, have no effect on packets in netns2. In short, if you know the Linux kernel source code, then as long as the structure of the net structure of the structures, such as skb,net_device, are related to Netns.
So what should I do with self-ring? My device has 4 NICs, and I want to communicate between 1 and 4 via 2 and 3 forwarding, and its logical topology is as follows:
pc1/eth0----pc2/eth1 (forward) pc2/eth2----Pc3/eth3
It's easy to set eth0 and Eth3 in two different netns, then connect eth0 and eth1 with cables, connect eth2 and Eth3, and finally set eth0 and eth1 IP addresses in a network segment, Set the IP address of eth2 and ETH3 on a different network segment. The light says does not practice false bashi, how should do exactly? Also very simple:
1. Add two Netns
IP netns Add t1
IP netns Add T2
2. Add eth0 to T1 and set the IP address
IP link set eth0 netns t1
At this time ifconfig will not see eth0, you even do ls/sys/class/net can not see eth0, only the implementation of IP netns exec T1 ls/sys/class/net to see.
IP netns exec t1 ifconfig eth0 192.168.1.200/24
3. Add Eth3 to T2 and set the IP address
IP link Set eth3 netns T2
At this time ifconfig will not see ETH3, you even do ls/sys/class/net can not see ETH3, only the implementation of IP Netns exec T2 ls/sys/class/net to see.
IP netns exec t1 ifconfig eth3 172.16.1.200/24
4. Set the address of eth1 and eth2
ifconfig eth1 192.168.1.1/24
Ifconfig eth2 172.16.1.1/24
5. Set a default route for two Netns
IP netns exec T1 route add default GW 192.168.1.1
IP netns exec T2 route add default GW 172.16.1.1
6. Testing
Ping eth3 address in Netns T2 in Netns t1
IP netns exec T1 ping 172.16.1.200
After the above configuration, packets sent from Eth0 are routed through the network cable to ETH1 (instead of the loopback of the local routing table) and then forward from Eth2 via eth1. The Eth3 Cup is received via the network cable to the destination. The whole process of a machine, showing the effect as if three machines look like. With this mechanism, is it no longer worrying about building a test environment?
In addition to self-loop testing, Netns can also be used to set policy routing, which does not require IP rule. Imagine a scene, you run both P1 and P2 two programs, the local area network has two exports to the outside network, you want to P1 through GW1 and outside communications, P2 through GW2 and outside communications, constraints are your machine only a card eth0, how to do? By iptables the packets for P1 and P2, and then setting up the policy route via IP rule, it is possible to set the P2 directly in P1 and setsockopt applications, which does not require ipmark. But it's all out of date, 2014 I need a different way.
I don't know how to express my thinking, but it is simple to give a sequence of operations, because doing so does satisfy the need, and then the person who sees this article pushes back as the operation steps, and then gets a thought process. The first thing you should understand is that the Linux kernel supports a type of virtual network card, that is, Veth, in general Veth is paired, from a veth sent packets can directly reach its peer Veth, interested in the Linux kernel can see drivers/net/ VETH.C, and drivers/net/tun.c no different, simpler. The first step is to create a pair of Veth:
IP link Add veth1 type Veth peer name Veth2
At this time the system in addition to eth0 and more than two network card, all the network card is lo,eth0,veth1,veth2. The middle implies the fact that there is a virtual link between veth1 and veth2 that connects the two NICs as if a twisted pair of two physical network cards are connected. I now hope that the P1 packets will be sent through veth1 and then naturally be able to send to veth2, but then how to send to the physical line through eth0? Too simple, too simple, use bridge bar:
Brctl ADDBR Br0
Brctl addif br0 eth0 veth2

At the same time, Veth1 and Br0 are located in the LAN set in an IP network segment, this is all through, the two-tier network logical topology is:
veth1----veth2 (bridge) eth0----GW
How to set Netns I did not want to say, but because the small temporarily do not play with me, I still finish it. First set the veth1 to NETNS1 (how to create the Netns, no longer repeat) and set the route:
IP link set veth1 netns netns1
IP netns exec netns1 route add default GW $GW 1
Route add default GW $GW 2
That's it? Yes, it's finished. In fact, it is not necessary to create netns2 by preserving the default netns of Br0. The next thing to do is start P1 and P2:
IP netns exec netns1 P1
P2

All right, it's over.
I always feel that Linux generally do not have to modify the source code can solve the problem, but I still like to modify the codes, why? Very simple, the source code is easy to obtain, and the source code is easy to modify, I have been obsessed with writing a lot of netfilter extension and do a lot of nf_conntrack changes, and even added some damn socket filter ... Although these behaviors are self-entertaining, and are not used in the work, but these behavior shows that I am not a network administrator, but a programmer, haha, self-styled senior software engineer (I still think these results can be applied). However, it is far more difficult to be a skilled network manager than to be a programmer. This is not, once again encountered OpenVPN multi-instance problem, I think, simple programmer can not make it, simple network management also not.
Multiple instances of Tap mode have been perfectly torn down by my Linux bridge, but there is still no perfect solution for multi-instance problems with Tun mode, although modifying the Tun driver, using broadcast mode Bonding+tun filter can be solved, But I still feel that it is a way to go, so even in the company I have not been able to carry out the entire commissioning test, the results fell to a drop, in fact, I do not like that way. Tun IP filter is my solution, not the standard, can you use the standard way to address it? Using Netns, the answer is yes.
Assuming that 2 OpenVPN instances OVPN1 and OVPN2 are launched on the GW, the virtual network cards are tun1 and tun2, and Client-connect is responsible ovpn2 the N1,OVPN2 script. The crux of the matter now is, how does a packet from the back of the GW know if the packet is sent to TUN1 or tun2, and can this judgment be automated? If you use Netns, that is okay, I can set 2 tun respectively in a different netns, and then each netns corresponds to a netns virtual network card in the same place, these veth peers in another veth, This enables the adaptation of the IP layer Tun mode virtual network card to the Ethernet Tap mode virtual network card. Finally, bridge these peers into a br0, then the tun mode OpenVPN can be processed in the same way as the OpenVPN of tap mode.
Anyway, when you play with Netns, you know you're not playing with a ruthless virtualized operating system, or actually simulating two physically isolated machines, because while the network of two programs is isolated, the file system is shared. You should always be prepared to use network isolation and use memory, file system sharing combined. One machine can be used as multiple machines, but also as a machine to share resources!

      Understand the above examples and the final summary, then I ask, a single network card or no network card how to play self-ring? The requirement may be to test the protocol stack. Omit the process of thinking, very simple, add a level. For example, if you have a machine with a network card, then you can implement IP forwarding or bridge forwarding on your machine with the following command:
IP Link Add V1 type Veth Peer name VP1
IP link Add v2 type Veth peer name VP2
Brctl addbr br0
brctl addif vp1 vp2
ifconfig vp1 up
ifconfig vp2 up
sysctl-w net.ipv4.ip_forward=1
IP netns add T1
IP netns add t2
IP link se T v1 netns T1
IP link set v2 netns t2
IP netns exec t1 ifconfig v1 1.1.1.1/24
IP netns exec T2 ifconfig v2 1.1.1. 2/24
IP netns exec t1 ping 1.1.1.2
...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.