[Firehol-support] Testing and emulation with network namespaces
Phil Whineray
phil at sanewall.org
Thu Apr 2 21:37:41 CEST 2015
Hi
I tested various combinations of connecting physical devices which all
worked. I can see no reason that the other combinations will not work
but I have not actually tried them.
Tested:
Bridge a physical device to a host namespace with veth
Bridge a physical device to a switch namespace with veth
Directly set namespace of a vlan device into a host namespace
Not tested:
Bridge a vlan device into host or switch namespace with veth
Directly set namespace of a physical device into a host namespace
At the bottom is a bunch of commands and output for reference.
I can also confirm that ulogd2 when started in a namespace logs the
iptables NFLOG output for that namespace, e.g.:
sudo ip netns exec fw /etc/init.d/ulogd2 restart
The latest version of the script automatically kills any processes
using the namespace when it shuts down a namespace. In combination
with the exec capability it is possible to easily set up logging
per-namespace:
--- CUT --
host fw
dev veth0 10.0.0.1/24
exec sed 's:/var/log/ulog/syslogemu.log:/var/log/ulog/fw.log:' /etc/ulogd.conf > $NSTMP/ulogd.conf
exec /usr/sbin/ulogd -d -c $NSTMP/ulogd.conf
host gw
dev veth0 fw/veth0 10.0.0.2/24
exec sed 's:/var/log/ulog/syslogemu.log:/var/log/ulog/gw.log:' /etc/ulogd.conf > $NSTMP/ulogd.conf
exec /usr/sbin/ulogd -d -c $NSTMP/ulogd.conf
--- CUT --
The above example just uses uses sed to create a copy system standard
ulogd.conf with an output path to match our namespace, then start ulogd
in the namespace with that config. You can have any number of exec lines
so setting forwarding is still the same etc.
$ sudo ./firetest nssimple.conf
$ ps aux | grep ulog
root 946 0.0 0.0 50100 1108 ? S<s 13:28 0:00 /usr/sbin/ulogd -d -c /tmp/firetest-JQshG2/ns/fw/ulogd.conf
root 960 0.0 0.0 50100 1112 ? S<s 13:28 0:00 /usr/sbin/ulogd -d -c /tmp/firetest-JQshG2/ns/gw/ulogd.conf
$ sudo ./firetest -c nssimple.conf
$ ps aux | grep ulog
Note that the /tmp/firetest-JQshG2 directory is deleted at the end of the
exec but this does not affect the ulogd which already has its config. If
you don't like not being able to see the file, just use a normal path instead
of $NSTMP.
As an aside, if you want your regular user shell but "within" a namespace,
this works well:
sudo ip netns exec thenamespace sudo -i -u $USER
Cheers
Phil
Connecting devices... initial setup...
$ brctl show
bridge name bridge id STP enabled interfaces
br0 8000.28d244c9df6e yes p3p1
virbr0 8000.000000000000 yes
$ ip addr show br0
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 28:d2:44:c9:df:6e brd ff:ff:ff:ff:ff:ff
inet 10.0.1.70/8 brd 10.255.255.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::2ad2:44ff:fec9:df6e/64 scope link
valid_lft forever preferred_lft forever
$ ip addr show p3p1
2: p3p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether 28:d2:44:c9:df:6e brd ff:ff:ff:ff:ff:ff
$ ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=7.81 ms
Test 1: Connect physical devices using veth pair
1a. Connect direct to namespace host
$ cat 1a.conf
host testhost
dev veth0 192.168.99.1/24
switch testswitch
dev d01 testhost/veth0
$ sudo ./firetest 1a.conf
$ sudo ip netns exec testhost ping -c 1 10.0.0.253
connect: Network is unreachable
$ sudo ip link add v0root type veth peer name v0ns
$ sudo ip link set v0root up
$ sudo brctl addif br0 v0root
$ sudo ip link set v0ns netns testhost
$ sudo ip netns exec testhost ip addr add 10.5.4.3/8 dev v0ns
$ sudo ip netns exec testhost ip link set v0ns up
wait a few seconds...
$ sudo ip netns exec testhost ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=0.168 ms
cleanup for next test (deletes all veth from namespaces, even the added one)
$ sudo ./firetest -c 1a.conf
1b. Connect via namespace switch
$ cat 1b.conf
host testhost
dev veth0 10.5.4.3/8
switch testswitch
dev d01 testhost/veth0
$ sudo ./firetest 1b.conf
$ sudo ip netns exec testhost ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
>From 10.5.4.3 icmp_seq=1 Destination Host Unreachable
$ sudo ip link add v0root type veth peer name v0ns
$ sudo ip link set v0root up
$ sudo brctl addif br0 v0root
$ sudo ip link set v0ns netns testswitch
$ sudo ip netns exec testswitch ip link set v0ns up
$ sudo ip netns exec testswitch brctl addif switch v0ns
wait a few seconds...
$ sudo ip netns exec testhost ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=10.8 ms
cleanup for next test:
$ sudo ./firetest -c 1b.conf
Test 2: Connect vlan devices using veth pair
check we have a host accessible only from a different VLAN...
$ ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
>From 10.0.1.70 icmp_seq=1 Destination Host Unreachable
$ sudo ip link add link p3p1 name p3p1.5 type vlan id 5
$ sudo ip addr add 10.5.4.3/32 dev p3p1.5
$ sudo ip link set p3p1.5 up
$ sudo ip route add 10.0.0.219/32 dev p3p1.5
$ ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
64 bytes from 10.0.0.219: icmp_seq=1 ttl=64 time=5.14 ms
$ sudo ip route del 10.0.0.219/32 dev p3p1.5
$ ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
>From 10.0.1.70 icmp_seq=1 Destination Host Unreachable
setup the namespace and do the same check...
$ sudo ./firetest 1a.conf
$ sudo ip netns exec testhost ping -c 1 10.0.0.219
connect: Network is unreachable
$ sudo ip link set p3p1.5 netns testhost
$ sudo ip netns exec testhost ip addr add 10.5.4.3/32 dev p3p1.5
$ sudo ip netns exec testhost ip link set p3p1.5 up
$ sudo ip netns exec testhost ip route add 10.0.0.219/32 dev p3p1.5
$ sudo ip netns exec testhost ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
64 bytes from 10.0.0.219: icmp_seq=1 ttl=64 time=6.65 ms
Notably trying to use the script to cleanup did not work with the
vlan device added direct, so I had to remove it manually:
$ sudo ip netns exec testhost ip link del p3p1.5
More information about the Firehol-support
mailing list