[Firehol-support] Testing and emulation with network namespaces
Phil Whineray
phil at sanewall.org
Wed Apr 1 22:54:10 BST 2015
Hi Costa
On Wed, Apr 01, 2015 at 11:09:04AM +0300, Tsaousis, Costa wrote:
> 1. Can a physical lan be linked to a virtual switch? For example, I
> have two ethernet devices, can I link each of these to a different
> virtual switch with a different virtual gateway?
> 2. Can physical ethernet vlans join virtual switches?
Switches as set up by the script are just normal bridge devices in a
namespace. The reason for separating them from hosts is for clarity
and to do some boilerplate (i.e. create the bridge and add interfaces
to it automatically).
I believe the usual way of connecting a physical device into a
namespace is to create a veth pair with one end in the root
namespace and the other in your chosen namespace.
The veth end in the root namespace is added into a bridge with the
physical device. The other veth end can be used direcly as a device
in a namespace or also added into a bridge (such as the ones created by
the script to represent a switch).
I guess this should work as well for a vlan link as well as any
other device, since I don't think there is anything unusual in
bridging these devices.
I also think it may be possible to just set the namespace of a
physical device, provided you don't care about using it in the
root namespace.
I will try all of these out tomorrow and confirm.
> 3. Is QoS operational on the virtual ethernets? This opens a whole set
> of new possibilities for QoS.
It certainly appears to be. I used the setup described with the
config and did a file transfer using netcat from fw to gw with
and without a fireqos setup in place.
280MB of data transfers almost instantly with no QOS in place. Using the
fireqos.conf from the examples directory and editing only the interface
to match, I can limit to 750kb ADSL upload speeds and monitor the
packet backlog with fireqos from a separate terminal:
$ sudo ip netns exec fw ./sbin/fireqos.in fireqos.conf start
$ sudo ip netns exec gw nc -l -p 23 > /dev/null
$ time sudo ip netns exec fw nc -q 1 10.1.1.253 23 < big.bin
$ sudo ip netns exec fw ./sbin/fireqos.in fireqos.conf status adsl-out
> 4. Last time I checked, namespaces had an issue with logging,
> especially kernel logging. I was unable to monitor the iptables logs
> of the namespaces. Have you found any solution?
This appears to still be true and your comment has saved me some
time... I was about to embark on a series of tests to verify bridge
behaviours with iptables and I was going to rely on logging but I
can confirm for now it is not working.
I guess this is due to the logs being passed over some form of network
link but I tried simply starting a ulogd in the approriate namespace
and that did not work either.
I will follow up some leads when I get a bit of time. Hopefully I can
get to the bottom of this, as not having logging clearly limits the
usefulness of the setup.
Until it is decided what to do, I have put the script here so you
can try it out if you like:
https://gist.github.com/philwhineray/a7506b53a4055acc7b36
Cheers
Phil
More information about the Firehol-support
mailing list