Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of netfilter and VRF in Linux, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

Linux netfilter and VRF

The experimental environment is shown in the following figure:

The configuration is as follows:

#! / bin/bashsudo ip netns add ns1sudo ip link add ns1veth2 type veth peer name eth0 netns ns1sudo ip netns add ns2sudo ip link add ns2veth2 type veth peer name eth0 netns ns2sudo ip link set ns1veth2 master vrftestsudo ip link set ns2veth2 master vrftestsudo ip link set ns2veth2 upsudo ip link set ns1veth2 upsudo ip addr add 1.1.1.254/24 dev ns1veth2 sudo ip addr add 2.2.2.254/24 dev ns2veth2 sudo ip netns exec ns2 ip addr add 2.2.2.1/24 dev eth0 sudo ip netns exec ns1 ip addr add 1.1.1 .1True 24 dev eth0sudo ip netns exec ns1 ip link set eth0 upsudo ip netns exec ns1 ip link set lo upsudo ip netns exec ns1 ip route add default via 1.1.1.254 dev eth0sudo ip netns exec ns2 ip link set eth0 upsudo ip netns exec ns2 ip link set lo upsudo ip netns exec ns2 ip route add default via 2.2.2.254 dev eth0sudo iptables-t mangle-A PREROUTING-s 1.1.1.1-j LOG-log-prefix= "vrf-test-prerouting" sudo iptables-t mangle-A FORWARD -s 1.1.1.1-j LOG-- log-prefix= "vrf-test-forward" sudo iptables-t mangle-A POSTROUTING-s 1.1.1.1-j LOG-- log-prefix= "vrf-test-postrouting" sudo iptables-t mangle-A PREROUTING-d 1.1.1.1-j LOG-- log-prefix= "vrf-test-prerouting" sudo iptables-t mangle-A FORWARD-d 1.1.1.1-j LOG-- log-prefix= "vrf-test-forward" sudo iptables-t mangle-A POSTROUTING-d 1.1.1.1-j LOG-- log-prefix= "vrf-test-postrouting" sudo iptables-t mangle-An INPUT-d 1.1.1.1-j LOG-- log-prefix= "vrf-test-localin" sudo iptables-t mangle-An INPUT-s 1.1.1.1-j LOG-log-prefix= "vrf-test-localin" sudo iptables-t mangle-An OUTPUT -s 1.1.1.1-j LOG-- log-prefix= "vrf-test-localout" sudo iptables-t mangle-An OUTPUT-d 1.1.1.1-j LOG-- log-prefix= "vrf-test-localout" external network access this machine

Ns1 ping Gateway 1.1.1.254

Admin@ubuntu:~$ sudo ip netns exec ns1 ping 1.1.1.254-c 1 PING 1.1.1.254 (1.1.1.254) 56 (84) bytes of data.64 bytes from 1.1.1.254: icmp_seq=1 ttl=64 time=0.064 ms--- 1.1.1.254 ping statistics-- 1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.064, 0.064, and 0.000 msadmin@ubuntu:~$

View log

Nov 20 20:34:10 ubuntu kernel: [180403.527204] vrf-test-preroutingIN=ns1veth2 OUT= MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14:08:00 SRC=1.1.1.1 DST=1.1.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32492 DF PROTO=ICMP TYPE=8 CODE=0 ID=33955 SEQ=1 Nov 20 20:34:10 ubuntu kernel: [180403.527213] vrf-test-preroutingIN=vrftest OUT= MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14: 08:00 SRC=1.1.1.1 DST=1.1.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32492 DF PROTO=ICMP TYPE=8 CODE=0 ID=33955 SEQ=1 Nov 20 20:34:10 ubuntu kernel: [180403.527220] vrf-test-localinIN=vrftest OUT= MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14:08:00 SRC=1.1.1.1 DST=1.1.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32492 DF PROTO=ICMP TYPE=8 CODE=0 ID=33955 SEQ=1 Nov 20 20:34:10 ubuntu kernel: [180403.527231] vrf- Test-localoutIN= OUT=vrftest SRC=1.1.1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=54845 PROTO=ICMP TYPE=0 CODE=0 ID=33955 SEQ=1 Nov 20 20:34:10 ubuntu kernel: [180403.527233] vrf-test-postroutingIN= OUT=vrftest SRC=1.1.1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=54845 PROTO=ICMP TYPE=0 CODE=0 ID=33955 SEQ=1 Nov 20 20:34:10 ubuntu kernel: [180403.527235] vrf-test-localoutIN= OUT=ns1veth2 SRC=1.1.1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=54845 PROTO=ICMP TYPE=0 CODE=0 ID=33955 SEQ=1 Nov 20 20:34:10 ubuntu kernel: [180403.527242] vrf-test-postroutingIN= OUT=ns1veth2 SRC=1.1.1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=54845 PROTO=ICMP TYPE=0 CODE=0 ID=33955 SEQ=1

As can be seen from log:

The order of the hook points that the request message passes through is as follows:

Serial number hook point input interface output interface 1PREROUTINGns1veth2 no 2PREROUTINGvrftest no 3INPUTvrftest none

The order in which the reply message passes through the hook points is as follows:

Serial number hook point input interface output interface 1OUTPUT no vrftest2POSTROUTING no vrftest3OUTPUT no ns1veth24POSTROUTING no ns1veth2 forwarding message

Ns1 ping ns2

Admin@ubuntu:~$ sudo ip netns exec ns1 ping 2.2.2.1-c 1PING 2.2.2.1 (2.2.2.1) 56 (84) bytes of data.64 bytes from 2.2.2.1: icmp_seq=1 ttl=63 time=0.063 ms--- 2.2.2.1 ping statistics-1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.063 msadmin@ubuntu:~$ 0.063 msadmin@ubuntu:~$

View log

Nov 20 20:28:31 ubuntu kernel: [180065.076713] vrf-test-preroutingIN=ns1veth2 OUT= MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14:08:00 SRC=1.1.1.1 DST=2.2.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=38312 DF PROTO=ICMP TYPE=8 CODE=0 ID=33948 SEQ=1 Nov 20 20:28:31 ubuntu kernel: [180065.076722] vrf-test-preroutingIN=vrftest OUT= MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14: 08:00 SRC=1.1.1.1 DST=2.2.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=38312 DF PROTO=ICMP TYPE=8 CODE=0 ID=33948 SEQ=1 Nov 20 20:28:31 ubuntu kernel: [180065.076730] vrf-test-forwardIN=vrftest OUT=ns2veth2 MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14:08:00 SRC=1.1.1.1 DST=2.2.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=38312 DF PROTO=ICMP TYPE=8 CODE=0 ID=33948 SEQ=1 Nov 20 20:28:31 ubuntu kernel: [180065.076732] vrf- Test-postroutingIN= OUT=ns2veth2 SRC=1.1.1.1 DST=2.2.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=38312 DF PROTO=ICMP TYPE=8 CODE=0 ID=33948 SEQ=1 Nov 20 20:28:31 ubuntu kernel: [180065.076746] vrf-test-preroutingIN=ns2veth2 OUT= MAC=02:25:0e:fe:52:35:ba:19:4d:37:ac:8b:08:00 SRC=2.2.2.1 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47601 PROTO=ICMP TYPE=0 CODE=0 ID=33948 SEQ=1 Nov 20 20:28:31 ubuntu kernel: [180065.076749] vrf- Test-preroutingIN=vrftest OUT= MAC=02:25:0e:fe:52:35:ba:19:4d:37:ac:8b:08:00 SRC=2.2.2.1 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47601 PROTO=ICMP TYPE=0 CODE=0 ID=33948 SEQ=1 Nov 20 20:28:31 ubuntu kernel: [180065.076752] vrf-test-forwardIN=vrftest OUT=ns1veth2 MAC=02:25:0e:fe:52:35:ba:19:4d:37:ac:8b:08:00 SRC=2.2.2.1 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47601 PROTO=ICMP TYPE=0 CODE=0 ID=33948 SEQ=1 Nov 20 20:28:31 ubuntu kernel: [180065.076753] vrf-test-postroutingIN= OUT=ns1veth2 SRC=2.2.2.1 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47601 PROTO=ICMP TYPE=0 CODE=0 ID=33948 SEQ=1

As can be seen from log:

The order of the hook points that the request message passes through is as follows:

Serial number hook point input interface output interface 1PREROUTINGns1veth2 no 2PREROUTINGvrftest no 3FORWARDvrftestns2veth24POSTROUTING no ns2veth2

The order in which the reply message passes through the hook points is as follows:

Serial number hook point input interface output interface 1PREROUTINGns2veth2

2PREROUTINGvrftest

3FORWARDvrftestns2veth24POSTROUTING has no ns2veth2 native access to the public network.

Vrftest ping 1.1.1.1

Admin@ubuntu:~$ sudo ping 1.1.1.1-I vrftest-c 1ping: Warning: source address might be selected on device other than vrftest.PING 1.1.1.1 (1.1.1.1) from 1.1.1.254 vrftest: 56 (84) bytes of data.64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.039 ms--- 1.1.1.1 ping statistics-1 packets transmitted, 1 received, 0 packet loss Time 0msrtt min/avg/max/mdev = 0.039 msadmin@ubuntu:~$ 0.039 msadmin@ubuntu:~$

View log

Nov 20 21:21:11 ubuntu kernel: [183224.956734] vrf-test-localoutIN= OUT=vrftest SRC=1.1.1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35042 DF PROTO=ICMP TYPE=8 CODE=0 ID=34186 SEQ=1 Nov 20 21:21:11 ubuntu kernel: [183224.956740] vrf-test-postroutingIN= OUT=vrftest SRC=1.1.1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35042 DF PROTO=ICMP TYPE=8 CODE=0 ID=34186 SEQ=1 Nov 20 21:21:11 ubuntu kernel: [183224.956745] vrf-test-localoutIN= OUT=ns1veth2 SRC=1.1. 1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35042 DF PROTO=ICMP TYPE=8 CODE=0 ID=34186 SEQ=1 Nov 20 21:21:11 ubuntu kernel: [183224.956746] vrf-test-postroutingIN= OUT=ns1veth2 SRC=1.1.1.254 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35042 DF PROTO=ICMP TYPE=8 CODE=0 ID=34186 SEQ=1 Nov 20 21:21:11 ubuntu kernel: [183224.956762] vrf-test-preroutingIN=ns1veth2 OUT= MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14:08:00 SRC=1.1 . 1.1 DST=1.1.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=323 PROTO=ICMP TYPE=0 CODE=0 ID=34186 SEQ=1 Nov 20 21:21:11 ubuntu kernel: [183224.956765] vrf-test-preroutingIN=vrftest OUT= MAC=b2:f8:2a:13:31:75:6e:17:d5:b2:55:14:08:00 SRC=1.1.1.1 DST=1.1.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=323 PROTO=ICMP TYPE=0 CODE=0 ID=34186 SEQ=1 Nov 20 21:21:11 ubuntu kernel: [183224.956769] vrf-test-localinIN=vrftest OUT= MAC=b2:f8: 2a:13:31:75:6e:17:d5:b2:55:14:08:00 SRC=1.1.1.1 DST=1.1.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=323 PROTO=ICMP TYPE=0 CODE=0 ID=34186 SEQ=1

As can be seen from log:

The order of the hook points that the request message passes through is as follows:

Serial number hook point input interface output interface 1OUTPUT no vrftest2POSTROUTING no vrftest3OUTPUT no ns1veth24POSTROUTING no ns1veth2

The order in which the reply message passes through the hook points is as follows:

Serial number hook point input interface output interface 1PREROUTINGns1veth2 no 2PREROUTINGvrftest no 3INPUTvrftest no native access to the local machine, that is, loopback

Vrftest ping vrf interface address 9.9.9.9Universe 24

Add the following netfilter rule:

Admin@ubuntu:~/vrftcpdump$ cat netfilter1.sh sudo iptables-t mangle-A PREROUTING-s 9.9.9.9-j LOG-- log-prefix= "vrf-test-prerouting" sudo iptables-t mangle-A FORWARD-s 9.9.9.9-j LOG-- log-prefix= "vrf-test-forward" sudo iptables-t mangle-A POSTROUTING-s 9.9.9.9-j LOG-log-prefix= "vrf-test-postrouting" sudo iptables-t mangle-An INPUT -s 9.9.9-j LOG-- log-prefix= "vrf-test-localin" sudo iptables-t mangle-An OUTPUT-s 9.9.9.9-j LOG-- log-prefix= "vrf-test-localout" admin@ubuntu:~/vrftcpdump$

Configure the vrftest interface address as 9.9.9.9 to 24

Admin@ubuntu:~/vrftcpdump$ sudo ip addr add 9.9.9.9 bytes of data.64 bytes from 24 dev vrftest admin@ubuntu:~/vrftcpdump$ sudo ping 9.9.9.9-I vrftest-c 1 PING 9.9.9.9 (9.9.9.9) from 9.9.9.9 vrftest: 56 (84) bytes of data.64 bytes from 9.9.9.9: icmp_seq=1 ttl=64 time=0.050 ms--- 9.9.9.9 ping statistics-1 packets transmitted, 1 received 0% packet loss, time 0msrtt min/avg/max/mdev = 0.050 msadmin@ubuntu:~/vrftcpdump$, 0.050 msadmin@ubuntu:~/vrftcpdump$

View log

Nov 20 22:13:41 ubuntu kernel: [186374.589186] vrf-test-localoutIN= OUT=vrftest SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39425 DF PROTO=ICMP TYPE=8 CODE=0 ID=34815 SEQ=1 Nov 20 22:13:41 ubuntu kernel: [186374.589192] vrf-test-postroutingIN= OUT=vrftest SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39425 DF PROTO=ICMP TYPE=8 CODE=0 ID=34815 SEQ=1 Nov 20 22:13:41 ubuntu kernel: [186374.589202] vrf-test-preroutingIN=vrftest OUT= MAC=ca:f9: F0:37:4c:6c:ca:f9:f0:37:4c:6c:08:00 SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39425 DF PROTO=ICMP TYPE=8 CODE=0 ID=34815 SEQ=1 Nov 20 22:13:41 ubuntu kernel: [186374.589204] vrf-test-localinIN=vrftest OUT= MAC=ca:f9:f0:37:4c:6c:ca:f9:f0:37:4c:6c:08:00 SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39425 DF PROTO=ICMP TYPE=8 CODE=0 ID=34815 SEQ=1 Nov 20 22:13:41 ubuntu kernel: [186374.589210] vrf-test-localoutIN= OUT=vrftest SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39426 PROTO=ICMP TYPE=0 CODE=0 ID=34815 SEQ=1 Nov 20 22:13:41 ubuntu kernel: [186374.589211] vrf-test-postroutingIN= OUT=vrftest SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39426 PROTO=ICMP TYPE=0 CODE=0 ID=34815 SEQ=1 Nov 20 22:13:41 ubuntu kernel: [186374.589215] vrf-test-preroutingIN=vrftest OUT= MAC=ca:f9: F0:37:4c:6c:ca:f9:f0:37:4c:6c:08:00 SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39426 PROTO=ICMP TYPE=0 CODE=0 ID=34815 SEQ=1 Nov 20 22:13:41 ubuntu kernel: [186374.589217] vrf-test-localinIN=vrftest OUT= MAC=ca:f9:f0:37:4c:6c:ca:f9:f0:37:4c:6c:08:00 SRC=9.9.9.9 DST=9.9.9.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39426 PROTO=ICMP TYPE=0 CODE=0 ID=34815 SEQ=1

As can be seen from log:

The order of the hook points that the request message passes through is as follows:

Serial number hook point input interface output interface 1OUTPUT no vrftest2POSTROUTING no vrftest3PREROUTINGvrftest no 4INPUTvrftest none

The order in which the reply message passes through the hook points is as follows:

Serial number hook point input interface output interface 1OUTPUT no vrftest2POSTROUTING no vrftest3PREROUTINGvrftest no 4INPUTvrftest none

Loopback request and reply are the same.

Summary

After the linux kernel supports VRF, the message enters the PREROUTING node twice, the first is the original interface, and the second is the vrf primary interface to which the original interface is attached.

After the linux kernel supports VRF, the local output message first uses the vrf interface as the output interface to pass through the OUTPUT and POSTROUTING nodes, and then passes through the OUPUT and POSTROUTING nodes with the real outgoing interface.

When the local message is loopback, it is the same as the environment without VRF.

Thank you for reading this article carefully. I hope the article "sample Analysis of netfilter and VRF in Linux" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.