Shulou(Shulou.com)06/01 Report--

This article is to share with you about how to analyze Linux tun/tap, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Linux tun/tap detailed explanation

> in computer networks, tun and tap are virtual network devices in the operating system kernel. Different from the ordinary devices realized by hardware network adapters, these virtual network devices are all implemented by software and provide the same functions to the software running on the operating system as the hardware network devices.

What is tun/tap?

Tun is a virtual network device in the network layer, which can send and receive layer 3 data packets, such as IP packets, so it is often used in some point-to-point IP tunnels, such as OpenVPN,IPSec and so on.

Tap is a virtual network device at the link layer, which is equivalent to an Ethernet device. It can send and receive layer 2 data packets, such as Ethernet data frames. The most common use of Tap is as a virtual machine network card, because it is more similar to an ordinary physical network card, and is often used as a virtual network card for ordinary machines.

How to operate tun/tap?

Linux tun/tap can be operated through network interface and character device.

When an application operates a tun/tap device using the standard network interface socket API, it is no different from operating a real network card.

When the application uses the character device to operate the tun/tap device, the character device acts as a bridge between the user space and the kernel space to read and write layer 2 or layer 3 data packets directly. In versions after Linux kernel 2.6.x, the character device files corresponding to tun/tap are:

Tun:/dev/net/tuntap:/dev/tap0

When the application opens the character device, the system automatically creates the corresponding virtual device interface, which is generally named in tunX and tapX. After the virtual device interface is successfully created, it can be configured with IP, MAC address, routing, and so on. When everything is configured, the application writes IP packets or Ethernet data frames through this character file device, and the driver of tun/tap will send the data message directly to the kernel space. After receiving the data in the kernel space, it will be handed over to the network protocol stack of the system for processing. Finally, the network protocol stack selects the appropriate physical network card to send it out, and the sending process is completed. When the physical network card receives the data message, it will be handed over to the network protocol stack for processing. After the network protocol stack matching judgment, the data message is written intact to the character device through the tun/tap driver, and the application program reads the IP packet or Ethernet data frame from the character device, and finally carries on the corresponding processing, and the collection process is completed.

> Note: when the application shuts down the character device, the system automatically deletes the corresponding virtual device interface and deletes the created routing and other information.

The difference between tun/tap

Although tun/tap works on the same principle, it works at a different level.

Tun is a layer 3 network device, which sends and receives IP layer packets and cannot handle Ethernet data frames. For example, the route pattern of OpenVPN uses tun network devices. OpenVPN Server replans a network segment, and all clients will obtain an IP under this network segment and add corresponding routing rules. The data packets generated by the client and the target machine can only be forwarded through the OpenVPN gateway.

Tap is a layer 2 network device, which sends and receives Ethernet data frames. It has the function of MAC layer, and can be connected with the physical network card through the network bridge to form a layer 2 network. For example, the bridging mode of OpenVPN can tunnel from the outside to the local network. The incoming machines are involved in communication like local machines, and there is no sign that these machines are remote. If you have experience using a virtual machine, bridging mode is also a very common network solution. The virtual machine is assigned to the IP with the same network segment as the host machine, and other machines with the same network segment can also access this virtual machine through the network.

Mode of use

Linux provides some command-line programs for us to create persistent tun/tap devices, but if there is no application to open the corresponding file descriptor, the status of tun/tap will always be DOWN, fortunately, this does not affect us to use it as an ordinary network card.

Use ip tuntap help to view usage help

Usage: ip tuntap {add | del | show | list | lst | help} [dev PHYS_DEV] [mode {tun | tap}] [user USER] [group GROUP] [one_queue] [pi] [vnet_hdr] [multi_queue] [name NAME] Where: USER: = {STRING | NUMBER} GROUP: = {STRING | NUMBER} example # create tap ip tuntap add dev tap0 mode tap # create tunip Tuntap add dev tun0 mode tun # Delete tapip tuntap del dev tap0 mode tap# Delete tunip tuntap del dev tun0 mode tun

After the tun/tap device is successfully created, it can be used as a normal network card, so we can also manipulate it through the ip link command.

# for example, you can delete tun/tap devices by using the ip link command. The above is how to parse Linux tun/tap. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.