Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to achieve Linux kernel multi-channel mirror traffic aggregation and replication", in daily operation, I believe many people have doubts on how to achieve Linux kernel multi-channel mirror traffic aggregation and replication, Xiaobian consulted various materials, sorted out simple and easy to use operation methods, hope to answer "how to achieve Linux kernel multi-channel mirror traffic aggregation and replication" doubts helpful! Next, please follow the small series to learn together!

application scenarios

In the process of security monitoring and testing, we will inevitably encounter such problems: we need to deploy a large number of security devices based on mirrored traffic, such as IPS, abnormal traffic, database audit, traffic analysis, etc., but the number of ports on the switch that can do mirrored traffic is limited, and it is too expensive to purchase professional equipment.

In this paper, Linux kernel module from the network database package processing, to solve the above problems. Thanks to Platinum PT for their help.

architecture design

The process of kernel module is relatively simple. The forwarding configuration is submitted from user mode to kernel module, such as "eth2@eth3_eth2@eth4_eth2/eth5@eth6". The configuration of this section is:

Traffic from eth2 copied to eth3 and eth4

Traffic from eth2 and eth5 aggregated to eth6

MIRROR kernel module, only need to achieve parameter reading, configuration analysis, network card judgment (source, destination).

Algorithm, code implementation

parameter input

The function of this code is to split the parameters mentioned above such as "eth2@eth3_eth2@eth4_eth2/eth5@eth6" according to "_" and submit them to the parameter setting function "option_setup" in sections.

parameter setting

Here, we further split the parameter "eth0@eth2" into the source NIC eth0 and the destination NIC eth2. In the global variable of the kernel module, there is a structure.

"__read_mostly __u8 ethout_bits[MAX_OUT] ={0};"

It is used to store the corresponding network card number of each network card. It can be understood as follows. If the server has 8 network cards, then each network will have an 8-bit binary number to indicate its forwarding. For example, eth0 is copied to eth2, so ethout_bits[0] is equal to 0100000, and so on. If I want to copy eth0 to all other network cards, it will be 0111111.

At the same time, a global 8-byte variable is used to store which network cards are mirror traffic ports to prevent excess resource waste.

__read_mostly__u8 ifindex_bits = 0;

Skb packet replication and forwarding

When the Linux kernel receives a SKB packet, it determines whether the packet is in the forwarding list, that is, whether the NIC is the mirror source.

Then I use a loop to traverse the stored forwarding destination ports, and if there is a match, I use the skb_clone function to copy the packet and send it directly through the dev_queue_xmit function.

Finally, clean up the skb_buff structure.

startup script

For debugging and quick parameter submission, you can use the following shell script:

measured effect

Compile, fill in parameters and execute

Execution sh sh.sh

Dmesg output

Mirror Traffic Effect

Here you can see traffic statistics due to network card speed, time difference, etc., and will not be 100% the same, is normal.

CPU occupancy

When the traffic has reached about 400M, the CPU usage is still relatively low.

At this point, the study of "how to achieve Linux kernel multi-channel mirroring traffic aggregation and replication" is over, hoping to solve everyone's doubts. Theory and practice can better match to help you learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.