[Firehol-support] Testing and emulation with network namespaces

Phil Whineray phil at sanewall.org
Thu Apr 2 21:37:41 CEST 2015 

Hi

I tested various combinations of connecting physical devices which all
worked. I can see no reason that the other combinations will not work
but I have not actually tried them.

Tested:
  Bridge a physical device to a host namespace with veth
  Bridge a physical device to a switch namespace with veth
  Directly set namespace of a vlan device into a host namespace

Not tested:
  Bridge a vlan device into host or switch namespace with veth
  Directly set namespace of a physical device into a host namespace

At the bottom is a bunch of commands and output for reference.

I can also confirm that ulogd2 when started in a namespace logs the
iptables NFLOG output for that namespace, e.g.:
  sudo ip netns exec fw /etc/init.d/ulogd2 restart

The latest version of the script automatically kills any processes
using the namespace when it shuts down a namespace. In combination
with the exec capability it is possible to easily set up logging
per-namespace:

--- CUT --
host fw
  dev veth0 10.0.0.1/24
  exec sed 's:/var/log/ulog/syslogemu.log:/var/log/ulog/fw.log:' /etc/ulogd.conf > $NSTMP/ulogd.conf
  exec /usr/sbin/ulogd -d -c $NSTMP/ulogd.conf

host gw
  dev veth0 fw/veth0 10.0.0.2/24
  exec sed 's:/var/log/ulog/syslogemu.log:/var/log/ulog/gw.log:' /etc/ulogd.conf > $NSTMP/ulogd.conf
  exec /usr/sbin/ulogd -d -c $NSTMP/ulogd.conf
--- CUT --

The above example just uses uses sed to create a copy system standard
ulogd.conf with an output path to match our namespace, then start ulogd
in the namespace with that config. You can have any number of exec lines
so setting forwarding is still the same etc.

$ sudo ./firetest nssimple.conf

$ ps aux | grep ulog
root       946  0.0  0.0  50100  1108 ?        S<s  13:28   0:00 /usr/sbin/ulogd -d -c /tmp/firetest-JQshG2/ns/fw/ulogd.conf
root       960  0.0  0.0  50100  1112 ?        S<s  13:28   0:00 /usr/sbin/ulogd -d -c /tmp/firetest-JQshG2/ns/gw/ulogd.conf

$ sudo ./firetest -c nssimple.conf

$ ps aux | grep ulog

Note that the /tmp/firetest-JQshG2 directory is deleted at the end of the
exec but this does not affect the ulogd which already has its config. If
you don't like not being able to see the file, just use a normal path instead
of $NSTMP.

As an aside, if you want your regular user shell but "within" a namespace,
this works well:
  sudo ip netns exec thenamespace sudo -i -u $USER

Cheers
Phil

Connecting devices... initial setup...

$ brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.28d244c9df6e	yes		p3p1
virbr0		8000.000000000000	yes		

$ ip addr show br0
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 28:d2:44:c9:df:6e brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.70/8 brd 10.255.255.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::2ad2:44ff:fec9:df6e/64 scope link 
       valid_lft forever preferred_lft forever

$ ip addr show p3p1
2: p3p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 28:d2:44:c9:df:6e brd ff:ff:ff:ff:ff:ff

$ ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=7.81 ms


Test 1: Connect physical devices using veth pair

1a. Connect direct to namespace host

$ cat 1a.conf
host testhost
  dev veth0 192.168.99.1/24

switch testswitch
  dev d01 testhost/veth0

$ sudo ./firetest 1a.conf

$ sudo ip netns exec testhost ping -c 1 10.0.0.253
connect: Network is unreachable

$ sudo ip link add v0root type veth peer name v0ns
$ sudo ip link set v0root up
$ sudo brctl addif br0 v0root

$ sudo ip link set v0ns netns testhost
$ sudo ip netns exec testhost ip addr add 10.5.4.3/8 dev v0ns
$ sudo ip netns exec testhost ip link set v0ns up

wait a few seconds...
$ sudo ip netns exec testhost ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=0.168 ms

cleanup for next test (deletes all veth from namespaces, even the added one)
$ sudo ./firetest -c 1a.conf


1b. Connect via namespace switch

$ cat 1b.conf
host testhost
  dev veth0 10.5.4.3/8

switch testswitch
  dev d01 testhost/veth0

$ sudo ./firetest 1b.conf

$ sudo ip netns exec testhost ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
>From 10.5.4.3 icmp_seq=1 Destination Host Unreachable

$ sudo ip link add v0root type veth peer name v0ns
$ sudo ip link set v0root up
$ sudo brctl addif br0 v0root

$ sudo ip link set v0ns netns testswitch
$ sudo ip netns exec testswitch ip link set v0ns up
$ sudo ip netns exec testswitch brctl addif switch v0ns

wait a few seconds...
$ sudo ip netns exec testhost ping -c 1 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
64 bytes from 10.0.0.253: icmp_seq=1 ttl=64 time=10.8 ms


cleanup for next test:
$ sudo ./firetest -c 1b.conf

Test 2: Connect vlan devices using veth pair

check we have a host accessible only from a different VLAN...

$ ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
>From 10.0.1.70 icmp_seq=1 Destination Host Unreachable

$ sudo ip link add link p3p1 name p3p1.5 type vlan id 5
$ sudo ip addr add 10.5.4.3/32 dev p3p1.5
$ sudo ip link set p3p1.5 up
$ sudo ip route add 10.0.0.219/32 dev p3p1.5

$ ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
64 bytes from 10.0.0.219: icmp_seq=1 ttl=64 time=5.14 ms

$ sudo ip route del 10.0.0.219/32 dev p3p1.5

$ ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
>From 10.0.1.70 icmp_seq=1 Destination Host Unreachable

setup the namespace and do the same check...

$ sudo ./firetest 1a.conf

$ sudo ip netns exec testhost ping -c 1 10.0.0.219
connect: Network is unreachable

$ sudo ip link set p3p1.5 netns testhost
$ sudo ip netns exec testhost ip addr add 10.5.4.3/32 dev p3p1.5
$ sudo ip netns exec testhost ip link set p3p1.5 up
$ sudo ip netns exec testhost ip route add 10.0.0.219/32 dev p3p1.5

$ sudo ip netns exec testhost ping -c 1 10.0.0.219
PING 10.0.0.219 (10.0.0.219) 56(84) bytes of data.
64 bytes from 10.0.0.219: icmp_seq=1 ttl=64 time=6.65 ms

Notably trying to use the script to cleanup did not work with the
vlan device added direct, so I had to remove it manually:

$ sudo ip netns exec testhost ip link del p3p1.5

More information about the Firehol-support mailing list