conntrack: how to handle child process's NETLINK_NETFILTER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 Hello Pablo, lists

How can we handle conntrack of child process which fork/clone with
CLONE_NEWNET flags from parent? I tried passing child AF_NETLINK socket
fd to parent using sendmsg. But there may be a better way to handle,
connecting child's AF_NETLINK socket, like``ip link set ... netns''. 

I tried tiny and hacky prototype which can get from
http://www.h3.dion.ne.jp/~chamas/src/ctprobe.tgz but I do not know it's
a right way. Would you give me some advice?

--------

English is not my native, I would like to explain with copious use of
command.

There is linux box which has two NICs. one for nomal usage, another is
connected to mirrored port of network equipment (like L2/L3 switch).
eth1 is connected to mirrored port.

# yes, tested on KVM/QEMU, call this HOST

    root@debian:~# ip addr ls
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/ether 40:a0:b0:96:a7:01 brd ff:ff:ff:ff:ff:ff
        inet 172.27.101.134/24 brd 172.27.101.255 scope global eth0
        inet6 fe80::42a0:b0ff:fe96:a701/64 scope link 
           valid_lft forever preferred_lft forever
    3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/ether 40:a0:b0:96:a7:02 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::42a0:b0ff:fe96:a702/64 scope link 
           valid_lft forever preferred_lft forever


create a child using lxc (http://lxc.sourceforge.net/) # will call GUEST

    root@debian:~# cat lxc.conf 
    lxc.utsname = lxc
    lxc.network.type = empty 
    lxc.mount.entry=sysfs /sys sysfs defaults  0 0
    lxc.mount.entry=proc /proc proc defaults  0 0
    root@debian:~# lxc-execute -n lxc -f lxc.conf /bin/bash
    root@lxc:~# ip link ls
    6: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00


pass the monitoring and dummy (NULL) interface to child. on HOST side

    root@debian:~/ctprobe# ps -aef | grep lxc
    root      3090  3063  0 23:05 pts/0    00:00:00 lxc-execute -n lxc -f lxc.conf /bin/bash
    root      3091  3090  0 23:05 pts/0    00:00:00 /usr/lib/lxc/lxc-init -- /bin/bash
    root      3103  1702  0 23:06 ttyS0    00:00:00 grep lxc
    root@debian:~/ctprobe# ip link set eth1 netns 3091
    root@debian:~/ctprobe# ip link ls
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/ether 40:a0:b0:96:a7:01 brd ff:ff:ff:ff:ff:ff
    root@debian:~/ctprobe# modprobe dummy
    root@debian:~/ctprobe# ip link set dummy0 netns 3091


create bridge br0 and redirect (change MAC address) all trafic to
local. Then, enabling conntrack and to go through all traffic from eth1
to dummy0, add default route. on GUEST side

    root@lxc:~# ip link ls
    3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
        link/ether 40:a0:b0:96:a7:02 brd ff:ff:ff:ff:ff:ff
    6: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    7: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN 
        link/ether 92:d0:ea:d8:60:01 brd ff:ff:ff:ff:ff:ff

    root@lxc:~# ip link set eth1 up
    root@lxc:~# ip link set dummy0 up
    root@lxc:~# brctl addbr br0
    root@lxc:~# brctl addif br0 eth1
    root@lxc:~# ip link set br0 up
    root@lxc:~# ebtables -t broute -I BROUTING -i eth1 -j redirect --redirect-target ACCEPT
    root@lxc:~# iptables -I INPUT -m connbytes --connbytes 0: --connbytes-dir both --connbytes-mode bytes -j ACCEPT
    root@lxc:~# ip route add default dev dummy0

At this point, I can ``see'' conntrack of monitoring interface on GUEST
``conntrack -L'' and send througn network if give more NIC to GUEST and
add more specific route on GUEST.

But those seems bother for me, so that I think it's easy to let HOST
read and write GUEST's AF_NETLINK socket.

--------

test with my silly code is... run socket fd transmitter on GUEST side

    root@lxc:~# cd ctprobe/
    root@lxc:~/ctprobe# ./passocketer 

Then, run conntrack HOST side

    root@debian:~/ctprobe# conntrack -L -p icmp
    conntrack v0.9.14 (conntrack-tools): 0 flow entries have been shown.
    root@debian:~/ctprobe# LD_PRELOAD=./passock.so conntrack -L -p icmp
    icmp     1 29 src=172.27.68.175 dst=172.27.68.1 type=8 code=0 id=27167 packets=65 bytes=5460 src=172.27.68.1 dst=172.27.68.175 type=0 code=0 id=27167 packets=65 bytes=5460 mark=0 use=1
    conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.

Again, I don't know this is effective way or not...
I think this let us implement netflow probe easy, without libpcap.

thanks,
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux