Unusual packet forwarding task

Unusual packet forwarding task

[Rob Roschewsk]

I have a linux box with two interfaces ...

eth0 (no iP address, in promiscuous mode) wired to a network switch
port. The switch port is configured as a mirror (a.k.a. firehose).
eth1 (10.0.0.2) is a second interface to monitoring application

The goal is to take certain packets (identifiable by protocol and
port) received on eth0 and send them out eth1 with DNAT 10.0.0.1 and
SNAT 10.0.0.2.

So if the inbound packet arriving at eth0 looks like:
192.168.17.36 -> 172.16.20.3 | protocol UDP | port 6000 | DATA |

It should go out eth1 as:
10.0.0.2 -> 10.0.0.1 | protocol UDP | port 6000 | DATA |

I've tried every permutation of OVS, Routes, IPTABLES that I can think of.

I can blindly loop ALL of the traffic for eth0 to eth1 with an OVS
mirror without filtering or nat but that's not what I need.

If I try plain iptables with FORWARD, PREROUTING, and POSTROUTING
rules no packets show up on eth1.

Is this solvable or a case of "existing technology will not support" ??

Thanks,
-> Rob

Re: Unusual packet forwarding task

[Martin Tonusoo]

Hi Rob,

perhaps something like this will do:
https://gist.github.com/tonusoo/0490bc5cf564689f3999f1de4eef098d

On Debian based distributions the dependencies can be installed with
"apt install --no-install-recommends python3-pcapy python3-scapy".
Pcapy is a wrapper library for libpcap which processes the filter in
Berkeley Packet Filter syntax, builds the binary bytecode and
eventually sends it to the kernel via the SO_ATTACH_FILTER. Thus,
there should be very little impact on throughput or CPU usage.

I used a following systemd service to manage the script:

root@deb12-1:~# systemctl cat packet-forwarder
# /etc/systemd/system/packet-forwarder.service
[Unit]
Description=Forwards certain packets received on eth0 out from eth1
After=network.target

[Service]
Type=simple
Restart=always
ExecStart=/usr/local/sbin/packet-forwarder.py

[Install]
WantedBy=multi-user.target
root@deb12-1:~#


Martin

Re: Unusual packet forwarding task

[Rob Roschewsk]

Thanks Martin!

I'm not at the point of adding code to this project yet ... close but
not yet :) This will certainly give me a head start if that happens.
-> Rob


On Fri, Oct 25, 2024 at 4:39 AM Martin Tonusoo <martin@tonusoo.ee> wrote:
>
> Hi Rob,
>
> perhaps something like this will do:
> https://gist.github.com/tonusoo/0490bc5cf564689f3999f1de4eef098d
>
> On Debian based distributions the dependencies can be installed with
> "apt install --no-install-recommends python3-pcapy python3-scapy".
> Pcapy is a wrapper library for libpcap which processes the filter in
> Berkeley Packet Filter syntax, builds the binary bytecode and
> eventually sends it to the kernel via the SO_ATTACH_FILTER. Thus,
> there should be very little impact on throughput or CPU usage.
>
> I used a following systemd service to manage the script:
>
> root@deb12-1:~# systemctl cat packet-forwarder
> # /etc/systemd/system/packet-forwarder.service
> [Unit]
> Description=Forwards certain packets received on eth0 out from eth1
> After=network.target
>
> [Service]
> Type=simple
> Restart=always
> ExecStart=/usr/local/sbin/packet-forwarder.py
>
> [Install]
> WantedBy=multi-user.target
> root@deb12-1:~#
>
>
> Martin

Re: Unusual packet forwarding task

[Logan B]

Rob,
I have a feeling that this can be accomplished with some manually
added match/actions inside of ovs. Specifically using ovs-ofctl.
I would add both ports into an ovs bridge
Using your criteria to specify the match and action. Writing a flow
match by hand involves some trial and error. Something like the
following, though I haven't tried it out
ovs-ofctl add-flow br0
in_port=0,udp,nw_src=192.168.17.36,nw_dst=172.16.20.3
actions=mod_nw_src:10.0.0.2,mod_nw_dst:10.0.0.1,output:1
This there is a lot of flexibility on matching [1] and the actions
[2]. If the network is is full of traffic that you don't care about,
you could add a rule to drop a lot of traffic that you don't care
about.

I hope this helps.

[1] https://www.man7.org/linux/man-pages/man7/ovs-fields.7.html
[2] https://www.man7.org/linux/man-pages/man7/ovs-actions.7.html


On Fri, Oct 25, 2024 at 9:57 AM Rob Roschewsk <rob@pabut.org> wrote:
>
> Thanks Martin!
>
> I'm not at the point of adding code to this project yet ... close but
> not yet :) This will certainly give me a head start if that happens.
> -> Rob
>
>
> On Fri, Oct 25, 2024 at 4:39 AM Martin Tonusoo <martin@tonusoo.ee> wrote:
> >
> > Hi Rob,
> >
> > perhaps something like this will do:
> > https://gist.github.com/tonusoo/0490bc5cf564689f3999f1de4eef098d
> >
> > On Debian based distributions the dependencies can be installed with
> > "apt install --no-install-recommends python3-pcapy python3-scapy".
> > Pcapy is a wrapper library for libpcap which processes the filter in
> > Berkeley Packet Filter syntax, builds the binary bytecode and
> > eventually sends it to the kernel via the SO_ATTACH_FILTER. Thus,
> > there should be very little impact on throughput or CPU usage.
> >
> > I used a following systemd service to manage the script:
> >
> > root@deb12-1:~# systemctl cat packet-forwarder
> > # /etc/systemd/system/packet-forwarder.service
> > [Unit]
> > Description=Forwards certain packets received on eth0 out from eth1
> > After=network.target
> >
> > [Service]
> > Type=simple
> > Restart=always
> > ExecStart=/usr/local/sbin/packet-forwarder.py
> >
> > [Install]
> > WantedBy=multi-user.target
> > root@deb12-1:~#
> >
> >
> > Martin
>


-- 
Logan