Redirect mirrored traffic to userspace app.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello everyone,

first of all, I'm not an iptables guru (that is why I'm here asking
you for help:)
Also, sorry for my poor english skills.

Well, at office we have 2 major environments: development and production.
In order to test our software in a more realistic condition, we'd like
to run it in production, but without affectig client application
traffic.

So, what I think is a nice solution is to setup a switch port mirror
to copy all traffic going to production server into our development server.

That's how our network topology looks like (simplified):


                        +-------------------+
+------+   [REQUEST]    |      SWITCH       |
|CLIENT|--------------->|PORT1  PORT2->PORT3|
+------+                +-------------------+
                                 |       |
+-----------------+   [REQUEST]  |       | [MIRRORED REQ]  +------------------+
|PROD_SRV:eth0/IP1|<-------------+       +---------------->|DEVEL_SRV:eth0/IP2|
+-----------------+                                        +------------------+

Thanks to this damn GUI world, probably this ascii-art is ruined. Here
is another one:

CLIENT (send req)
   |
   |
   V
 PORT1
SWITCH PORT2---->PROD_SRV:eth0/IP1 (recv req)
 PORT3
   |
   |
   V
DEVEL_SRV:eth0/IP2 (recv mirrored req)


All traffic is UDP port 2077 only. I can not change any config on PROD_SRV.

Our DEVEL_SRV should receive exactly the same packet PROD_SRV
receives, but with destination address modified
so it can reach our userspace application.

tcpdump shows that all requests are being properly mirrored from PORT2 to PORT3.
ifconfig eth0 on DEVEL_SRV does not present any increment on RX
statistics, but if I "ifconfig eth0 promisc", it starts to increment
RX.

I've tried to "DNAT" it, but without success:

 root@DEVEL_SRV# iptables -t nat -A PREROUTING -p udp --dport 2077 -j
DNAT --to-destination $IP2

>From DEVEL_SRV point of view, it receives a legitime request.
I've setup a DROP rule so responses do not interfer on client's requests.

If I'm not clear, please fell free to ask anything.

Thanks for helping,

Mateus Caruccio


-- 
# ################ VOTE NULO ################
# Mateus de Oliveira Caruccio <mateus at caruccio dot com>
# Old programmers never die.  They just branch to another namespace
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux