* conntrack: how to handle child process's NETLINK_NETFILTER
@ 2011-05-07 16:24 Ken-ichirou MATSUZAWA
2011-05-08 16:47 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Ken-ichirou MATSUZAWA @ 2011-05-07 16:24 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
Hello Pablo, lists
How can we handle conntrack of child process which fork/clone with
CLONE_NEWNET flags from parent? I tried passing child AF_NETLINK socket
fd to parent using sendmsg. But there may be a better way to handle,
connecting child's AF_NETLINK socket, like``ip link set ... netns''.
I tried tiny and hacky prototype which can get from
http://www.h3.dion.ne.jp/~chamas/src/ctprobe.tgz but I do not know it's
a right way. Would you give me some advice?
--------
English is not my native, I would like to explain with copious use of
command.
There is linux box which has two NICs. one for nomal usage, another is
connected to mirrored port of network equipment (like L2/L3 switch).
eth1 is connected to mirrored port.
# yes, tested on KVM/QEMU, call this HOST
root@debian:~# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 40:a0:b0:96:a7:01 brd ff:ff:ff:ff:ff:ff
inet 172.27.101.134/24 brd 172.27.101.255 scope global eth0
inet6 fe80::42a0:b0ff:fe96:a701/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 40:a0:b0:96:a7:02 brd ff:ff:ff:ff:ff:ff
inet6 fe80::42a0:b0ff:fe96:a702/64 scope link
valid_lft forever preferred_lft forever
create a child using lxc (http://lxc.sourceforge.net/) # will call GUEST
root@debian:~# cat lxc.conf
lxc.utsname = lxc
lxc.network.type = empty
lxc.mount.entry=sysfs /sys sysfs defaults 0 0
lxc.mount.entry=proc /proc proc defaults 0 0
root@debian:~# lxc-execute -n lxc -f lxc.conf /bin/bash
root@lxc:~# ip link ls
6: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
pass the monitoring and dummy (NULL) interface to child. on HOST side
root@debian:~/ctprobe# ps -aef | grep lxc
root 3090 3063 0 23:05 pts/0 00:00:00 lxc-execute -n lxc -f lxc.conf /bin/bash
root 3091 3090 0 23:05 pts/0 00:00:00 /usr/lib/lxc/lxc-init -- /bin/bash
root 3103 1702 0 23:06 ttyS0 00:00:00 grep lxc
root@debian:~/ctprobe# ip link set eth1 netns 3091
root@debian:~/ctprobe# ip link ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 40:a0:b0:96:a7:01 brd ff:ff:ff:ff:ff:ff
root@debian:~/ctprobe# modprobe dummy
root@debian:~/ctprobe# ip link set dummy0 netns 3091
create bridge br0 and redirect (change MAC address) all trafic to
local. Then, enabling conntrack and to go through all traffic from eth1
to dummy0, add default route. on GUEST side
root@lxc:~# ip link ls
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 40:a0:b0:96:a7:02 brd ff:ff:ff:ff:ff:ff
6: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
7: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
link/ether 92:d0:ea:d8:60:01 brd ff:ff:ff:ff:ff:ff
root@lxc:~# ip link set eth1 up
root@lxc:~# ip link set dummy0 up
root@lxc:~# brctl addbr br0
root@lxc:~# brctl addif br0 eth1
root@lxc:~# ip link set br0 up
root@lxc:~# ebtables -t broute -I BROUTING -i eth1 -j redirect --redirect-target ACCEPT
root@lxc:~# iptables -I INPUT -m connbytes --connbytes 0: --connbytes-dir both --connbytes-mode bytes -j ACCEPT
root@lxc:~# ip route add default dev dummy0
At this point, I can ``see'' conntrack of monitoring interface on GUEST
``conntrack -L'' and send througn network if give more NIC to GUEST and
add more specific route on GUEST.
But those seems bother for me, so that I think it's easy to let HOST
read and write GUEST's AF_NETLINK socket.
--------
test with my silly code is... run socket fd transmitter on GUEST side
root@lxc:~# cd ctprobe/
root@lxc:~/ctprobe# ./passocketer
Then, run conntrack HOST side
root@debian:~/ctprobe# conntrack -L -p icmp
conntrack v0.9.14 (conntrack-tools): 0 flow entries have been shown.
root@debian:~/ctprobe# LD_PRELOAD=./passock.so conntrack -L -p icmp
icmp 1 29 src=172.27.68.175 dst=172.27.68.1 type=8 code=0 id=27167 packets=65 bytes=5460 src=172.27.68.1 dst=172.27.68.175 type=0 code=0 id=27167 packets=65 bytes=5460 mark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Again, I don't know this is effective way or not...
I think this let us implement netflow probe easy, without libpcap.
thanks,
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: conntrack: how to handle child process's NETLINK_NETFILTER
2011-05-07 16:24 conntrack: how to handle child process's NETLINK_NETFILTER Ken-ichirou MATSUZAWA
@ 2011-05-08 16:47 ` Pablo Neira Ayuso
2011-05-09 10:40 ` Ken-ichirou MATSUZAWA
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2011-05-08 16:47 UTC (permalink / raw)
To: Ken-ichirou MATSUZAWA; +Cc: netfilter
On 07/05/11 18:24, Ken-ichirou MATSUZAWA wrote:
> There is linux box which has two NICs. one for nomal usage, another is
> connected to mirrored port of network equipment (like L2/L3 switch).
> eth1 is connected to mirrored port.
[...]
> I think this let us implement netflow probe easy, without libpcap.
It should be hard to make a patch for the kernel to drop all the packets
after the last conntrack hook. Thus, the conntrack subsystem and ulogd2
can be used for flow-accounting in mirrored port configurations.
Let me know if this is what you want, it really took me a while to
understand what you want from your email.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrack: how to handle child process's NETLINK_NETFILTER
2011-05-08 16:47 ` Pablo Neira Ayuso
@ 2011-05-09 10:40 ` Ken-ichirou MATSUZAWA
0 siblings, 0 replies; 3+ messages in thread
From: Ken-ichirou MATSUZAWA @ 2011-05-09 10:40 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Ken-ichirou MATSUZAWA, netfilter
Hello Pablo
I am sorry for my poor explanation and taking much of your time.
At Sun, 08 May 2011 18:47:02 +0200,
Pablo Neira Ayuso wrote:
> after the last conntrack hook. Thus, the conntrack subsystem and ulogd2
> can be used for flow-accounting in mirrored port configurations.
You are true, I want to use conntrack subsystem for flow-accounting.
Thanks to per netns ct, I was surprized child process can hold its own
flow-accounting data in mirrored port, different from parent, and I want
to use this child's data.
I think getting the data and sending it from parent to flow-accounting
collector is easy. But I don't know if parent can open child process's
socket, or can pass socket to child as if it is in child's netns.
Then, I passed a socket created in child to parent. I think there may be
better way. Would you give me any advice?
thanks,
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-05-09 10:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-07 16:24 conntrack: how to handle child process's NETLINK_NETFILTER Ken-ichirou MATSUZAWA
2011-05-08 16:47 ` Pablo Neira Ayuso
2011-05-09 10:40 ` Ken-ichirou MATSUZAWA
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.