[Firehol-support] Testing and emulation with network namespaces

Phil Whineray phil at sanewall.org
Wed Apr 1 23:54:10 CEST 2015


Hi Costa

On Wed, Apr 01, 2015 at 11:09:04AM +0300, Tsaousis, Costa wrote:
> 1. Can a physical lan be linked to a virtual switch? For example, I
> have two ethernet devices, can I link each of these to a different
> virtual switch with a different virtual gateway?

> 2. Can physical ethernet vlans join virtual switches?

Switches as set up by the script are just normal bridge devices in a
namespace. The reason for separating them from hosts is for clarity
and to do some boilerplate (i.e. create the bridge and add interfaces
to it automatically).

I believe the usual way of connecting a physical device into a
namespace is to create a veth pair with one end in the root
namespace and the other in your chosen namespace.

The veth end in the root namespace is added into a bridge with the
physical device. The other veth end can be used direcly as a device
in a namespace or also added into a bridge (such as the ones created by
the script to represent a switch).

I guess this should work as well for a vlan link as well as any
other device, since I don't think there is anything unusual in
bridging these devices.

I also think it may be possible to just set the namespace of a
physical device, provided you don't care about using it in the
root namespace.

I will try all of these out tomorrow and confirm.

> 3. Is QoS operational on the virtual ethernets? This opens a whole set
> of new possibilities for QoS.

It certainly appears to be. I used the setup described with the
config and did a file transfer using netcat from fw to gw with
and without a fireqos setup in place.

280MB of data transfers almost instantly with no QOS in place. Using the
fireqos.conf from the examples directory and editing only the interface
to match, I can limit to 750kb ADSL upload speeds and monitor the
packet backlog with fireqos from a separate terminal:

$ sudo ip netns exec fw ./sbin/fireqos.in fireqos.conf start

$ sudo ip netns exec gw nc -l -p 23 > /dev/null

$ time sudo ip netns exec fw nc -q 1 10.1.1.253 23 < big.bin

$ sudo ip netns exec fw ./sbin/fireqos.in fireqos.conf status adsl-out

> 4. Last time I checked, namespaces had an issue with logging,
> especially kernel logging. I was unable to monitor the iptables logs
> of the namespaces. Have you found any solution?

This appears to still be true and your comment has saved me some
time... I was about to embark on a series of tests to verify bridge
behaviours with iptables and I was going to rely on logging but I
can confirm for now it is not working.

I guess this is due to the logs being passed over some form of network
link but I tried simply starting a ulogd in the approriate namespace
and that did not work either.

I will follow up some leads when I get a bit of time. Hopefully I can
get to the bottom of this, as not having logging clearly limits the
usefulness of the setup.

Until it is decided what to do, I have put the script here so you
can try it out if you like:
  https://gist.github.com/philwhineray/a7506b53a4055acc7b36

Cheers
Phil


More information about the Firehol-support mailing list