[Firehol-support] Testing and emulation with network namespaces

Tsaousis, Costa costa at tsaousis.gr
Wed Apr 1 10:09:04 CEST 2015


Hi Phil,

this is very nice.

I have a few questions:

1. Can a physical lan be linked to a virtual switch? For example, I
have two ethernet devices, can I link each of these to a different
virtual switch with a different virtual gateway?

2. Can physical ethernet vlans join virtual switches?

3. Is QoS operational on the virtual ethernets? This opens a whole set
of new possibilities for QoS.

4. Last time I checked, namespaces had an issue with logging,
especially kernel logging. I was unable to monitor the iptables logs
of the namespaces. Have you found any solution?

Costa


On Wed, Apr 1, 2015 at 12:49 AM, Phil Whineray <phil at sanewall.org> wrote:
> Hi
>
> I've been on a bit of a mission trying to work out the best way of dealing
> with mixed router/bridge configurations which took me down the path of
> wanting to emulate complex network setups.
>
> Since linux 2.6.24 there has been support for network namespaces. These
> are used in the firehol unit tests just to prevent messing with your normal
> firewall set.
>
> Much more can be done though, see https://lwn.net/Articles/580893/
> for some info. I now have a script which can take a setup file with
> a simple format and automate the setup of a virtual network of hosts
> and switches of arbitrary complexity. See below for a complete setup.
>
> There is currenly no attempt to connect to the root namespace (and
> hence the outside world) - that will need to be done manually if you
> really need it.
>
> The question I have - is it useful enough to include in the firehol
> tree, either as a testing helping tool or even main script? Also, has
> anyone got a good name for it?
>
> Cheers
> Phil
>
>
> # This definition sets up a network according to the diagram below which
> # covers a multitude of possible scenarios.
> #
> # Key:
> #    hostname
> #    [device]   (hosts have just a [veth0] unless otherwise noted)
> #    (switch)
> #
> #  host21                    +- host01            host41
> #   |                        |                    |
> #   |    host22              +- host02            |     host42
> #   |     |                  | (sw0)              |     |
> #   |     |  . . . . . . . . | . . . . . . . . .  |     |
> #   |     |  .            [veth0]              .  |     |
> #   +-----+----[vbr0eth2]    |      [vbr1eth4]----+-----+
> #     (sw2)  .     |         | fw       |      .    (sw4)
> #            .     + [vbr0]--+---[vbr1] +      .
> #     (sw3)  .     |         |          |      .    (sw5)
> #   +-----+----[vbr0eth3]    |      [vbr1eth5]----+-----+
> #   |     |  .            [veth1]              .  |     |
> #   |     |  . . . . . . . . | . . . . . . . . .  |     |
> #   |     |                  | (<direct>)         |     |
> #   |    host31           [veth0]                 |     host52
> #   |                       gw                    |
> #  host32             [veth1]  [veth2]           host51
> #              (<direct>) /      \ (<direct>)
> #                      host11   host12
> #
> # A network namespace is created for each host and switch to keep everything
> # isolated. The name of the host or switch is the name used for the namespace
> # making it easy to use "ip netns exec" to specify where commands should run.
> #
> # Examples:
> #   Tcpdump traffic passing through a switch
> #     sudo ip netns exec sw0 tcpdump -i switch -w capfile
> #   Tcpdump traffic seen by a device on a host
> #     sudo ip netns exec host12 tcpdump -i veth0 -w capfile
> #   Ping "from" host01 (10.0.0.1) to host12 via switch sw0 and hosts fw and gw:
> #     sudo ip netns exec host01 ping 192.168.2.12
> #   Start netcat on port 23 of host52 to receive telnet:
> #     sudo ip netns exec host52 nc -l -p 23
> #   telnet "from" host21 (10.0.0.1) to host52 via fw, switches and bridges:
> #     sudo ip netns exec host21 telnet 10.45.45.52
> #   Panic firehol in fw host namespace (now previous commands are blocked):
> #     sudo ip netns exec fw sbin/firehol.in panic
> #
> # Note that there are no virtual machines in use, all processing is done
> # on the host but with separate views of what the network looks like.
> #
>
> host fw
>   dev veth0 10.0.0.254/24
>   dev veth1 10.1.1.254/24
>   dev vbr0eth2
>   dev vbr0eth3
>   dev vbr1eth4
>   dev vbr1eth5
>   bridgedev vbr0 vbr0eth2 vbr0eth3 10.23.23.254/24
>   bridgedev vbr1 vbr1eth4 vbr1eth5 10.45.45.254/24
>   route default via 10.1.1.253
>   exec echo 1 > /proc/sys/net/ipv4/ip_forward
>
> host gw
>   dev veth0 fw/veth1 10.1.1.253/24
>   dev veth1 192.168.1.254/24
>   dev veth2 192.168.2.254/24
>   route default via 10.1.1.254
>   exec echo 1 > /proc/sys/net/ipv4/ip_forward
>
> host host01
>   dev veth0 10.0.0.1/24
>   route default via 10.0.0.254
>
> host host02
>   dev veth0 10.0.0.2/24
>   route default via 10.0.0.254
>
> host host11
>   dev veth0 gw/veth1 192.168.1.11/24
>   route default via 192.168.1.254
>
> host host12
>   dev veth0 gw/veth2 192.168.2.12/24
>   route default via 192.168.2.254
>
> host host21
>   dev veth0 10.23.23.21/24
>   route default via 10.23.23.254
>
> host host22
>   dev veth0 10.23.23.22/24
>   route default via 10.23.23.254
>
> host host31
>   dev veth0 10.23.23.31/24
>   route default via 10.23.23.254
>
> host host32
>   dev veth0 10.23.23.32/24
>   route default via 10.23.23.254
>
> host host41
>   dev veth0 10.45.45.41/24
>   route default via 10.45.45.254
>
> host host42
>   dev veth0 10.45.45.42/24
>   route default via 10.45.45.254
>
> host host51
>   dev veth0 10.45.45.51/24
>   route default via 10.45.45.254
>
> host host52
>   dev veth0 10.45.45.52/24
>   route default via 10.45.45.254
>
> switch sw0
>   dev d01 fw/veth0
>   dev d02 host01/veth0
>   dev d03 host02/veth0
>
> switch sw2
>   dev d01 fw/vbr0eth2
>   dev d02 host21/veth0
>   dev d03 host22/veth0
>
> switch sw3
>   dev d01 fw/vbr0eth3
>   dev d02 host31/veth0
>   dev d03 host32/veth0
>
> switch sw4
>   dev d01 fw/vbr1eth4
>   dev d02 host41/veth0
>   dev d03 host42/veth0
>
> switch sw5
>   dev d01 fw/vbr1eth5
>   dev d02 host51/veth0
>   dev d03 host52/veth0
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support


More information about the Firehol-support mailing list