diff options
author | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
commit | fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch) | |
tree | a2011270df48d3501892ac1a56015c8be57e8a7d /iproute2/iproute2+tc-slides.mgp |
import of old now defunct presentation slides svn repo
Diffstat (limited to 'iproute2/iproute2+tc-slides.mgp')
-rw-r--r-- | iproute2/iproute2+tc-slides.mgp | 454 |
1 files changed, 454 insertions, 0 deletions
diff --git a/iproute2/iproute2+tc-slides.mgp b/iproute2/iproute2+tc-slides.mgp new file mode 100644 index 0000000..9791f79 --- /dev/null +++ b/iproute2/iproute2+tc-slides.mgp @@ -0,0 +1,454 @@ +%include "default.mgp" +%default 1 bgrad +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +%nodefault +%back "blue" + +%center +%size 7 + + +Advanced Linux Networking + + +%center +%size 4 +by + +Harald Welte <laforge@gnumonks.org> + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +Contents + + Introduction + + Advanced Routing with iproute2 + + Bandwidth Management using tc + + Advanced netfilter concepts + + References / Further Reading + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +Introduction + +Changes in the Linux IP stack + + Alexey Kuznetsov introduced new routing in 2.2 + + IPv6 support required generalization + + tc subsystem (traffic control) + + Hooks in the Network stack (netfilter) + + Netlink Sockets + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +Introduction + +What can Linux do for me? + + Sophisticated routing (not only destination based) + + Control how the bandwidth is divided + + Prevent DoS attacks (various kinds of flooding) + + Advanced packet filtering (see my other talk) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART I - Advanced Routing + + Traditional IP routing + + router is connected to more than one network segment + + router knows which hosts are direcltly attached to these segments + + router knows where to send packets if destination not link-local + + router builds decision for each packet, based on its destination + + Why is this insufficient? + + Real-world network scenario getting more complex + + People want to have different routing for different services + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART I - Advanced Routing + +Policy routing with iproute2 + + Multiple routing tables + + Rules describing which routing table to use + + Configurable using commandline tool 'iproute2' + + Each rule consists of + priority (Determining order of rules) + match (Which packets match this rule) + packet source address + packet destination address + TOS value + incoming interface + fwmark (set by ipchains / iptables) + action Which routing table + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART I - Advanced Routing + +The 'ip' command + used for + interface configuration + neighbour/arp tables + policy routing + routing tables + tunnels + multicast routing + communication with kernel through netlink sockets + + Important commands for policy routing + ip rule show Show all rules in policy database + ip rule add Add new rule to policy database + ip rule delete Delete rule from policy database + +Examples: +%font "typewriter" +%size 3 +> ip rule add from 1.2.3.4/16 to 5.6.7.8/24 dev eth0 table 10 + +> ip rule show + +0: from all lookup local +32765: from 1.2.3.4/16 to 5.6.7.8/24 iif eth0 lookup 10 +32766: from all lookup main +32767: from all lookup 253 +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART I - Advanced Routing + +The 'ip' command + + Important commands for routing tables + ip route add Add routing table entry + ip route del Delete routing table entry + ip route list List routing table + ip route flush Flush routing cache + + In reality far more sophisticated +%font "typewriter" +%size 2 +Usage: ip route { list | flush } SELECTOR + ip route get ADDRESS [ from ADDRESS iif STRING ] + [ oif STRING ] [ tos TOS ] + ip route { add | del | change | append | replace | monitor } ROUTE +SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] + [ table TABLE_ID ] [ proto RTPROTO ] + [ type TYPE ] [ scope SCOPE ] +ROUTE := NODE_SPEC [ INFO_SPEC ] +NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] + [ table TABLE_ID ] [ proto RTPROTO ] + [ scope SCOPE ] [ metric METRIC ] +INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ]... +NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS +OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] + [ rtt NUMBER ] [ rttvar NUMBER ] + [ window NUMBER] [ cwnd NUMBER ] [ ssthresh REALM ] + [ realms REALM ] +TYPE := [ unicast | local | broadcast | multicast | throw | + unreachable | prohibit | blackhole | nat ] +TABLE_ID := [ local | main | default | all | NUMBER ] +SCOPE := [ host | link | global | NUMBER ] +FLAGS := [ equalize ] +NHFLAGS := [ onlink | pervasive ] +RTPROTO := [ kernel | boot | static | NUMBER ] +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART II - Bandwidth Management + + What do I need Bandwidth Management for? + + Decide how and who available bandwidth is devided + + Limit available bandwidth for certain users / applications + + Guarantee bandwidth for certain users / applications + + Divide bandwidth more equally between users / applications + + QoS, DiffServ, IntServ + + Linux 2.2 / 2.4 provides elaborate framework + + Called 'packet scheduling' or 'traffic control' + Another major achievement of Alexey Kuznetsov + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART II - Bandwidth Management + +Basic iptables commands + +To build a complete iptable command, we must specify + which table to work with + which chain in this table to use + an operation (insert, add, delete, modify) + a match + a target + +The syntax is +%font "typewriter" +%size 3 +iptables -t table -Operation chain -j target match(es) +%font "standard" +%size 5 + +Example: +%font "typewriter" +%size 3 +iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART II - packet filtering + +Targets + + Builtin Targets to be used in filter table + ACCEPT accept the packet + DROP silently drop the packet + QUEUE enqueue packet to userspace + RETURN return to previous (calling) chain + foobar user defined chain + +Targets implemented as loadable modules + REJECT drop the packet but inform sender + MIRROR change source/destination IP and resend + LOG log via syslog + ULOG log via userspace + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART II - packet filtering + +Matches + + Basic matches + -p protocol (tcp/udp/icmp/...) + -s source address (ip/mask) + -d destination address (ip/mask) + -i incoming interface + -o outgoing interface + + Match extensions + --dport destination port + --sport source port + --mac-source source MAC address + --mark nfmark + --tos TOS field of IP header + --ttl TTL field of IP header + --limit rate limiting (n packets per timeframe) + --owner owner uid of the socket sending the packet + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART III - NAT + +Overview + + Previous Linux Kernels only implemented one special case of NAT: Masquerading + + Netfilter enables Linux to do any kind of NAT. + + All matches from packet filtering are available for the nat tables, too + + We divide NAT into 'source NAT' and 'destination NAT' + + SNAT changes the packet's source whille passing NF_IP_POST_ROUTING + + DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING + + MASQUERADE is a special case of SNAT + + REDIRECT is a special case of DNAT + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART III - NAT + +Source NAT + + SNAT Example: +%font "typewriter" +%size 3 + +iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.4 -s 10.0.0.0/8 +%font "standard" +%size 4 + +Masquerading does almost the same as SNAT, but if the outgoing interfaces' address changes (in case we have a dialup with dynamic ip), the new address is used. + + MASQUERADE Example: +%font "typewriter" +%size 3 + +iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART III - NAT + +Destination NAT + + DNAT example: +%font "typewriter" +%size 3 + +iptables -t nat -A PREROUTING -j DNAT --to-destination 1.2.3.4:8080 -p tcp --dport 80 -i eth1 +%font "standard" +%size 4 + +REDIRECT is a special case of DNAT, which alters the destination to the address of the incoming interface. + + REDIRECT example: +%font "typewriter" +%size 3 + +iptables -t nat -A PREROUTING -j REDIRECT --to-port 3128 -i eth1 -p tcp --dport 80 +%font "standard" +%size 5 + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +PART IV - Packet mangling + + Change certain parts of a packet based on rules in IP tables + + Again all the matches available, as described in packet filtering section. + + Currently, the supported packet mangling targets are: + TOS manipulate the TOS bits + TTL set / increase / decrease TTL field + MARK change the nfmark field of the skb + +Simple example: +%font "typewriter" +%size 3 + +iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -p tcp --dport 80 + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +Advanced Netfilter concepts + + Connection tracking + + Implemented seperately from NAT + + Enables stateful filtering + + Implementation + hooks into NF_IP_PRE_ROUTING to track packets + hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to drop information about connections which got filtered out + protocol modules (currently TCP/UDP/ICMP) + application helpers (currently FTP and IRC-DCC) + + Conntrack divides packets in the following four categories + NEW - would establish new connection + ESTABLISHED - part of already established connection + RELATED - is related to established connection + INVALID - (multicast, errors...) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +Advanced Netfilter concepts + +%size 4 + Userspace logging + flexible replacement for old syslog-based logging + packets to userspace via multicast netlink sockets + easy-to-use library (libipulog) + plugin-extensible userspace logging daemon already available + + Queuing + reliable asynchronous packet handling + packets to userspace via unicast netlink socket + easy-to-use library (libipq) + experimental queue multiplex daemon (ipqmpd) + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +Current Development and Future + +Netfilter (although it proved very stable) is still work in progress. + +Areas of current development + infrastructure for conntrack/nat helpers in userspace + full TCP sequence number tracking + multicast support for connection tracking + more flexible matches (MAXCONN, ...) + more conntrack and NAT modules (RPC, SNMP, SMB, ...) + better IPv6 support (conntrack, more matches / targets) + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page +Advanced Linux Networking +Availability of slides / Links + +The slides and the an according paper of this presentation are available at + http://www.gnumonks.org + +The netfilter homepage is mirrored at: + http://netfilter.samba.org + http://netfilter.kernelnotes.org + http://netfilter.filewatcher.org + +More documents / netfilter extensions (ulogd, ipqmpd, ...) + http://www.gnumonks.org/projects |