Version 1.3, 26 April 2010
Warning
This is a beta release documentation. STABLE version is currently not available. TESTING packages can be found in the repository at https://www.liberouter.org/repo/TESTING/x86_64/. Please replace STABLE repository, mentioned in this Handbook, with the TESTING repository. If you are looking for the NIFIC STABLE release, please see this documentation.Copyright © 2009-2010 CESNET, z.s.p.o.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. The license can be found at GNU web page.
Table of Contents
- 1. Introduction
- 2. System Overview
- 3. Installation
- 4. Configuration
- 5. Local NIFIC Configuration
- 6. Remote NIFIC Configuration
- 7. Useful Tools Usage
- 8. Use Cases
- 9. List of Known Bugs and Issues
- 10. NIFIC Development Team
- A. References
List of Figures
- 2.1. NIFIC system overview
- 2.2. NIFIC as a locally configured filter
- 2.3. NIFIC as a remotely configured filter
- 3.1. COMBO-LX155T with COMBO-10G2 connected
- 3.2. Ethernet interface numbers
- 3.3. LEDs on the COMBO-10G2
- 5.1. Local configuration of NIFIC
- 6.1. Remote control of NIFIC
- 6.2. Scheme of the Netopeer remote configuration system
- 8.1. Web access analyzer
- 8.2. Dual-port NIC
- 8.3. VOIP analyzer
List of Tables
- 3.1. Supported Firmware
Packet filter (NIFIC) is intended for processing of network flows at the full speed of the line without any packet loss. Architecture of the NIFIC packet filter can be used as a non-state firewall, a tool for network flow inspection, an intelligent HUB etc.
The NIFIC packet filter supports filtration on the 10Gbps Ethernet on the two ports, the filtration conditions are implemented in a special format called filtering rules. NIFIC supports up to 2048 rules and filter on the basis of the following fields in a packet:
Source and destination MAC address
Source and destination IP address (IPv4 only supported)
IPv4 protocol
Source and destination port (TCP or UDP)
TCP flags
Input interface number
Each packet coming to NIFIC could be re-directed to Ethernet interface(s), re-directed to software of the host PC or could be discarded. NIFIC supports packet replication (packet could be send to more output interfaces) and packet cropping for host PC software output.
NIFIC filter on the full speed of the line, where throughut Ethernet to Ethernet is 10Gbps for each port and througput Ethernet to host PC software is about 5 Gbps.
NIFIC is designed to provide rules changes without any packet loss, so user could add rule(s) or delete rule(s) and no packet is lost.
NIFIC packet filter could operate in two slightly different modes: as a local standalone filter or as a remotely controlled filter.
As was already mentioned NIFIC packet filter is designed for filtration on 10Gbps Ethernet. However, the version for 1Gbps Ethernet is also provided, but it is only simple port of 10Gbps NIFIC on the 1Gbps platform, so only the two of four possible ports are used.
The Chapter 2 presents the global system overview. Chapter 3 describes the installation of the NIFIC. Chapter 5 deals with locally controlled filtering. Chapter 6 presents all issues of remote control. Finally, Chapter 10 summarizes all known bugs and issues.
Table of Contents
NIFIC packet filter internally consists of two parts:
NIFIC hardware - Combov2 card with NIFIC firmware, plugged to PCI-E bus of NIFIC host PC. NIFIC hardware is responsible for packet classification and filtering.
NIFIC host PC - hosts Combov2 card, configures NIFIC hardware functionality described by filtering rules. NIFIC host PC also receives and sends packets through software interface of NIFIC hardware.
NIFIC hardware has following interfaces:
2 x 10 Gbps (or 2 x 1Gbps) Ethernet interface supporting receiving and sending packets at the full speed (Interface 0 and 1).
1 x Software interface (PCI-E) to NIFIC host PC. Software interface is divided into 14 virtual interfaces (Interfaces 2 to 15).
The incoming packets are classified and filtered in NIFIC hardware on the basis of rules loaded into NIFIC. Packets can be either blocked or forward to one or more output interfaces. The following picture shows system overview:
NIFIC can work in two different modes. As a locally configured standalone packet filter or as a remotely controlled filter.
The following figure shows the idea of the locally configured filter:
The NIFIC hardware is configured directly from NIFIC host PC by a ruleset file, which user has to type down manually. Details about local configuration are described in Chapter 5. Incoming packets could be captured by standart network interfaces. More about local packet capturing is described in Local Packet Capture & Transmit section.
The next figure presents the idea of remotely configured filter:
When remote configuration is used, NIFIC is configured by a PC called "Remote center", which configures NIFIC via XML based NETCONF protocol. The configuration XML can be either generated by a software utility or hand typed. More about remote configuration can be found in Chapter 6. If NIFIC is configured to forward some packets to NIFIC host PC software interface, the packets are forwarded to remote center, where could be further processed. Simple monitoring center, which prints the packet is part of the NIFIC package, more can be found in Chapter 6.
Table of Contents
If NIFIC software is not already installed on the NIFIC host PC, user should follow the section Installation of NIFIC Host PC. If user wants to use the remote configuration, he has to install necessary packages as is described in section Installation of Remote Control Packages.
All software tools are distributed in a form of rpm packages. RPM package system is able to check all required prerequisites and to inform you about the result.
To run any NIFIC tool, following packages have to be installed:
- libbdbus-1 1.0 or later
- libxml2 2.6 or later
- pciutils (lspci) 2.2.2 or later
- lsof 4.72 or later
All scripts are running in /bin/sh shell interpreter so all scripts were created with aim to portability. But on all testing machines the /bin/sh program was actually Bash (/bin/bash). Therefore we recommend using Bash as a default shell.
The NIFIC hardware has been designed to work on any PC-AT compatible computer running GNU/Linux operating system. It has been tested only on computers that use the x86-64 processors. The hardware requirements necessary for 10Gbps NIFIC host PC are:
Computer with x86-64 compatible CPU
COMBO-LX155T - PCIe mother card, second generation (LX155T chip)
COMBO-10G2 - two 10 Gbps interface card
For 1Gbps version the following cards are needed:
COMBO-LX155T - PCIe mother card, second generation (LX155T chip)
COMBO-1G4 - four 1 Gbps interface card
Mother card and an interface card are connected to each other making unit called "sandwich".
The firmware is automatically loaded by NIFIC script d, which is described in Chapter 5, the design could be changed in nific.conf(5) file as is described in Chapter 4. Supported firmware version is described in the table:
Table 3.1. Supported Firmware
| Mother Card | Add-on Card | Firmware | Features |
|---|---|---|---|
| COMBO-LX155T | COMBO-10G2 | 03_03 | 2x10 Gbps ports to Ethernet, 1xPCI-E |
| Full throughput from Ethernet port to Ethernet port (20 Gbps) for all packet length. | |||
| Throughput to host software PC is about 5,5 Gbps for all packet length. | |||
| Up to 2048 rules supported | |||
| COMBO-LX155T | COMBO-1G4 | 02_03 | 2x1 Gbps ports to Ethernet, 1xPCI-E |
| Same features as 10 Gbps version |
NIFIC host PC software works on GNU/Linux OS with 2.6 kernel. The software has been tested on computers running CentOS.
After plugging COMBO-LXT card into your PCI slot, you should test connection between the card and your PC. We use lspci(8) utility for this purpose. lspci(8) is a utility for displaying information about all PCI buses in the system and all devices connected to them. For correct recognition of the COMBO-LXT card you need update PCI ID Database used by lspci(8) or download pciutils-2.2.2 (program collection containing lspci(8) or later. If the lspci(8) output contains the following line your COMBO-LXT card is connected properly:
$lspci-d18ec:09:00.0 Ethernet controller: Cesnet, z.s.p.o.: Unknown device c032
NIFIC host PC is designed to be connected directly to line as active device, because it enables packet forwarding on full speed without any packet loss. However, when NIFIC is used as a passive device the mirror port or the Network tap could be used to connect NIFIC host PC to the desired network.
NOTE: LEDs are blinking and phyterctl(1) tool is working only when NIFIC design is booted in card by nific(1) script.
The combination of COMBO-LXT and COMBO-10G2 provides two 10 Gbps Ethernet interfaces. The following picture shows the number of the interface in the front view. The interface 0 is always the nearest one to the PCIe bus.
The COMBO-10G2 card is equipped with LED diodes as the link states indicators. The LED diodes are situated on the back side of the combination of COMBO-LXT and COMBO-10G2 as is shown on the picture:
There are two diodes per port: green diodes for RX (receiving) and orange or red for TX (transmitting). The diodes has following meanings:
Green diode (RX)
shining - line is present
blinking - packets coming on the line
neither blinking nor shining - no line present
Orange or red diode (TX)
shining - packets are not transmitted
blinking - packets are transmitted
neither blinking nor shining - should never happen
Liberouter project has a common centralized RPM repository for all projects. It is available on URL: https://www.liberouter.org/repo/STABLE/x86_64. Repository works over secured HTTPS channel. To obtain packages from it, you have to authorize yourself with login and password which you have received as our client. (Eventually, use login and password for SVN account.)
To make the standard tool yum(1) work properly with
our repository, you have to setup some configuration.
Add a new file liberouter.repo
to directory /etc/yum.repos.d/
with content:
[liberouter]
name=Liberouter RPM repository
baseurl=https://LOGIN:PASS@www.liberouter.org/repo/STABLE/x86_64/
enabled=1
gpgcheck=1
gpgkey=https://www.liberouter.org/repo/RPM-GPG-KEY-LiberouterNote
Instead of LOGIN and PASS write your real client login and password. To hide these private information you should change file mode bits by chmod(1):
# chmod 600 /etc/yum.repos.d/liberouter.repo
Note
Liberouter packages are digitally signed using GPG. Public key with GPG ID: 170EC4C1 (fingerprint FB55 3BB6 1571 0361 04CF 766A CAAF 4A06 170E C4C1) used to verify installing Liberouter packages is stored in file https://www.liberouter.org/repo/RPM-GPG-KEY-Liberouter.
Now you can check your configuration using yum(1):
# yum repolist
...
liberouter Liberouter RPM repository enabled
...
NIFIC host PC software is distributed in form of several RPM packages. We currently support only CentOS 5 distribution
To install nific packages we recommend to use yum's groupinstall command
# yum groupinstall nific-combov2-10g2or
# yum groupinstall nific-combov2-1g4according to installed card type.
As described in Chapter 3 and Chapter 6, NIFIC includes remote control tools. They have to be installed individually on PC selected to be a NIFIC remote center.
The yum repositories have to be set up the same way as was described in previous section. If the repositories are set up, the NIFIC monitoring center package could be installed by:
# yum install nific-remote-monitorThe remote configuration tool (netopeer manager) could be installed by:
# yum install netopeer-manager
Table of Contents
The configuration file is located in
/etc/liberouter/ directory.
In the directory user could find nific.conf(5) as
a default configuration file for 10Gbps NIFIC version and nific.conf.1G4 as a configuration file for 1 Gbps version.
If user wants to use 1Gbps version of NIFIC he has to delete or rename original and nific.conf and rename nific.conf.1G4 to
nific.conf.
The file includes all necessary settings for NIFIC packet filter run. The
file is described further:
Warning
Following settings should be changed only by expert user for a good reasons. Injudicious changes could lead to NIFIC failure!- COMBO6_DEVICE
The device file in the system.
- FIRMWARE_PATH
Path to directory with all firmware files.
- FIRMWARE_ID_X
Path to design.xml file - the design description file. One variable for each variant, where X could be either 10G2 or 1G4
- FIRMWARE_FILE_X
Firmware file location. One variable for each variant, where X could be either 10G2 or 1G4
- BINDIR
Path to binary tools used by scripts.
- IBUF_LIMIT
The maximum length of incoming packets (MTU).
- INIT_TYPE
local or remote - specifies the run options of nific script, when it is run by /etc/init.d/nific.rc
- REMOTE_CONFIG
Specifies the packet filter configuration when remote configuration is used.
- LOCAL_CONFIG
Specifies the rule set file, which is loaded to the design when local configuration is use.
- REMOTE_USER
Specifies the users, which have access rights for remote configuration.
- REMOTE_GROUP
Specifies the user groups, which have access rights for remote configuration.
- HFEX_BRAM_FILE_XX
Configuration file for hardware unit HFE (3 config files for 3 units in hw) in NIFIC design. One variable for each variant, where X could be either 10G2 or 1G4
- HFEX_REGS_FILE_XX
Configuration file for hardware unit HFE (3 config files for 3 units in hw) in NIFIC design. One variable for each variant, where X could be either 10G2 or 1G4
The nific.conf(5) file includes the actions, which NIFIC is executing when non IPv4 packet is detected on the network.
- DEF_NON_IPV4_IFCX (X=0-15)
There are 16 interfaces (2xEthernet, 14 virtual sw interfaces) in NIFIC. Each line specifies the action, when packet is detected on X interface. The action is specified as a bitmap when each bit set to 1 means "send the packet to this interface". The least significant bit is the rightest onei. When this bit is set to 1, all non IPv4 packets are re-directed to Ethernet interface 0. The action specification also includes the packet length for cropping function, this is useful when bit 2-15 is set hence the non IPv4 packets are re-directed to NIFIC host PC software interface. The complete configuration is provided as an example. The example says: all non-IPV4 packets from interface 0 send to interface 2, from interface 1 to interface 3, from virtual interface 2 to interface 0 and finally from virtual interface 3 to interface 1:
# ceth* interface 15 10 9 8 7 6 5 4 3 2 1 0 crop size DEF_NON_IPV4_IFC0="0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0" DEF_NON_IPV4_IFC1="0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0" DEF_NON_IPV4_IFC2="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0" DEF_NON_IPV4_IFC3="0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0" DEF_NON_IPV4_IFC4="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC5="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC6="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC7="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC8="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC9="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC10="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC11="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC12="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC13="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC14="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC15="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
The standard network interfaces are created on the basis of nific.conf(5) file. NIFIC filter packets up to 14 virtual sw interfaces, which could be mapped to the standard network interfaces. User could define the combinations of input and output virtual interface to be accessible by one standard network interface. According to the NIFIC hardware architecture, user has to define rules if he wants to transmit any IPv4 packet by virtual interfaces, the example could be found in examples of rules. When, standard network interface is set up, the OS sends also non-IPv4 packets to the network, so the actions for non-IPv4 packets also have to be set up.
- PROMISC
If set to ON, all virtual interfaces are set to promiscuous mode.
- VIFX
One line of standard interface configuration consists of:
Input virtual interface number (2-15)
Output virtual interface number (2-15)
IP address for interface - OPTIONAL
Network mask - OPTIONAL
- VIFX_NAME
Specifies the name of the interface, if there is an empty string, the name is used in this format: nificinput_output.
# VIF0="2 2 10.0.0.1 255.255.255.0" VIF0_NAME="ceth2" VIF1="3 3 172.16.0.1 255.255.255.0" VIF1_NAME="ceth3"
Note
After any change to nific.conf(5) the NIFIC has to be restarted.
When NIFIC is run remote mode the basic setup is also done by nific.conf(5).
However, the remote control programs use as source of configuration also
data set of configuration files in XML format (configuration datastores).
The location of these files is specified in
/etc/liberouter/netopeer.conf configuration file
(default path to these repositories is
/etc/liberouter/netconf/, for
more information see netopeer.conf(5) man page).
NIFIC remote configuration uses three configuration datastores
called running, startup
and candidate (concrete filenames representing
these datastores are defined in the netopeer.conf(5) configuration file).
- startup configuration datastore
This configuration datastore stores configuration data used at the device startup. Configuration daemon (nificsd(1)) reads this data at its startup and set NIFIC parameters according to startup configuration data.
- running configuration datastore
After initial setting up according to startup configuration data, configuration daemon creates
runningconfiguration datastore and copy there a content of thestartupconfiguration datastore.When remote configuration approach is used (see TODO),
runningconfiguration datastore always stores current settings of the packet filter and its packet exporter program (nificexp(1)). Ifrunningconfiguration data are changed, configuration daemon changes NIFIC parameters immediately.runningconfiguration repository is removed on NIFIC configuration daemon exit.- candidate configuration datastore
The
candidateconfiguration datastore is used to hold configuration data that can be manipulated without impacting the device's current parameters. This datastore serves as a work place for creating and manipulating configuration data. Additions, deletions, and changes may be made to this data to construct the desired configuration data. A NETCONF commit operation may be performed at any time what causes the device's running configuration to be changed to value of thecandidateconfiguration.The user can discard any uncommitted changes to the candidate configuration by executing the NETCONF discard-changes operation reverting the content of the
candidateconfiguration to the content of therunningconfiguration.candidatedatastore is as well as other datastores shared among all NETCONF sessions connected to the NIFIC. Therefore locking (by NETCONF lock operation) any datastore you are working with is highly recommended. In addition when the lock of thecandidatedatastore is released (by NETCONF unlock operation) content of the datastore is reverted to the content of therunningconfiguration.Warning
Before starting to manipulate with this datastore, it is necessary to lock it by NETCONF lock operation. If target repository of any operation is not locked, every operation locks its target repository themselves before performing any change. Target repository is again unlocked after requested operation and therefore the content of the
candidatedatastore is reverted to the content of the running data.
Definition of the NIFIC XML configuration scheme can be found at http://www.liberouter.org/ns/netopeer/nific/1.0/.
The NIFIC packet filter provides scripts for easy setting up of a filter.
For loading/removing NIFIC kernel modules the
nificlkm(1) script is
used. This script must be executed with root privileges. There are two main
options for this script. Option -l is used for loading
kernel modules. Option -r is used to remove any modules previously
loaded. For detection of the card and appropriate kernel modules the
lspci(8) utility is used.
Note
Loading kernel modules when udev(8) is configured to create devices may take a short delay to create all necessary devices. Therefore starting applications working with these devices (nific(1) script) right after loading modules can fail with message:
Combosix device "/dev/combosix/0" doesn't exist.
Please create all necessary devices.
Just give udev(8)
a few seconds to do its job.
Note
Before using nificlkm(1), make sure that NIFIC is not running.When all kernel modules are loaded, csid (1) is able to detect type of plugged cards and provide more detailed information. You should get following output on PC with installed COMBO-LXT mother card and COMBOI-10G2 add-on card:
$ csid
combo 10G1 n/a
Note
NIFIC designs supports different types of cards (with some different chips), so don't worry about differing values in the csid's output.nific(1) is main start up script for the NIFIC packet filter.
Script could be run in two different modes: local
or remote, the configuration is taken
from nific.conf(5). Main functionality is described below, more
detailed information you can get by -h option:
Script started in
localmodeBooting of firmware into card
Running of NIFIC configuration daemon nificsd(1) in the
localconfiguration mode with specified rule set file (according to value ofLOCAL_CONFIGvariable taken from nific.conf(5) configuration file). Also rules for non-IPv4 packets as described in nific.conf(5) are loaded. Configuration daemon nificsd(1) is then responsible for changing rule set while reloading configuration data.Setting up the standard network interfaces according to nific.conf(5)
Note
Exporter cannot be started in
localconfiguration mode, so-eoption is ignored.Script started in
remotemodeBooting of firmware into card
Running of NIFIC configuration daemon nificsd(1) in default remote configuration mode. Startup configuration data are taken from NETCONF startup datastore specified in
/etc/liberouter/netopeer.confconfiguration file. Rules for non-IPv4 packets are loaded according to specification in nific.conf(5) configuration file. NIFIC parameters can be then changed only via NETCONF connection (which is also used byreloadfunctionality of the nific(1) startup script).If
-eoption is specified, nificsd(1) also starts packet exporter program nificexp(1) according to settings in NETCONFstartupconfiguration datastore.Setting up the standard network interfaces according to nific.conf(5)
The first task is a kernel modules loading:
$su#nificlkm-lLoading NIFIC kernel modules combo6x 15252 0 combo6 21980 0 combo6core 22836 4 szedata2_cv2,combov2,combo6x,combo6 combov2_boot 4600 0 combov2 16256 2 szedata2_cv2,combov2_boot i2c_core 22593 1 combov2 combo6core 22836 4 szedata2_cv2,combov2,combo6x,combo6 szedata2_cv2 12948 0 szedata2 16268 1 szedata2_cv2
When the modules are loaded we can run the nific(1) script:
#nificlocal---------------------------------- Starting Configuration Daemon ---------------------------------- ---------------------------------- Creating Virtual Interfaces ----------------------------------
User could check if the design is properly loaded by
csid -s.
$csid-sBoard : combo Subtype : LXT155 S/N : 8100323 Addon0 : 10G1 Chip0 : n/a S/N0 : 8100372 Addon1 : 10G1 Chip1 : n/a S/N1 : 8100372 Channels : 2/2 (RX/TX) Firmware : ok SW : 0x41f10100 HW : 0x00030002 Text : NIFIC_CV2_10G2 PCI brver: 6d05.01.04 (2009/06/10 14:24) Device [combo6] szedata2 (0x41c10400-0x41c105ff) {}: inactive Device [combo6] szedata2 (0x41f10100-0x41f101ff) {}: active Device [combo6] szedata2 (0xf1010100-0xf10101ff) {}: inactive
Now user can work with packet filter as is described in next Chapters. To stop the nific and unload modules use commands:
#nific-s#nificlkm-r
NIFIC packet filter could be set up during boot of NIFIC host PC
by script nific.rc which is located in
/etc/init.d/. The startup script
loads modules and runs the nific(1) script in local
or remote mode as described in nific.conf(5). When user wants to use
nific.rc script during the boot process, the
chkconfig(8) must be configured:
#chkconfig--addnific.rc
To verify that everything is right, user can find nific.rc in the list of services
#chkconfig--list| grepnific.rc
To control service manually (start, stop, restart, etc.) use one of available options:
#/etc/init.d/nific.rchelp
However, the service will be started again after reboot of the NIFIC host PC. To stop the service permanently use:
#chkconfignific.rcoff
To delete the service from list run:
#chkconfig--delnific.rc
The "Filter language" is used to describe a rule set for the NIFIC filter. It is similar to the OpenBSD PF or FreeBSD ipfw language and is NOT case-sensitive.
Decimal and hexadecimal digits are defined:
dec_digit := '0' – '9'
hexadecimal_digit := dec_digit | ('a' – 'f')
Decimal constant is a sequence of decimal digits:
dec_const := dec_digit+
Hexadecimal constant is a sequence of hexadecimal digits:
hexadecimal_const := hexadecimal_digit+
IP address is a sequence of four decimal constants from range 0-255 separated by '.'. The address may be followed by a '/' and a number of bits from the left that are considered in evaluation. There must be no space around '/' character::
ipv4_const := dec_const ('.' dec_const){3} ['/' dec_const]
Examples of correct IPv4 addresses:
10.0.0.0/8 10.1.2.3
MAC address is a sequence of six doubles of hexadecimal numbers 00-FF separated by ':' :
mac_const := hexadecimal_const (':' hexadecimal_const){5}
List is a set of constant ranges surrounded by brackets '{' and '}'. The list may only contain one range type. Commas ',' are ignored inside lists:
list<constant_range> := '{' (constant_range | ',')* '}'
In case a list is used as an attribute value then the condition is satisfied when the attribute equals at least one of the list items. That means the rule:
100 pass 1 from { 10.0.0.0/8, !10.1.2.3 }
has the same meaning as the two rules, which passes any packet::
100 pass 1 from 10.0.0.0/8 100 pass 1 from !10.1.2.3
Therefore it is not recommended to use a negation in a list.
The rule specify an action which is performed on the packet when all requested conditions are met. The rule is defined by following syntax::
rule := id action ['on' interface] ['proto' protocol] ['from' src_addr ['mac' src_mac]['port' src_port]] ['to' dst_addr ['mac' dst_mac]['port' dst_port]] ['flags' [set_flags] '/' checked_flags] ['flowid' flowid]
ID is the first thing defined in the rule. It also specifies rule priority. Lower numbers denotes higher priority. Id is from 0 to 65535:
id := dec_const
Packets may be blocked or passed (sent) to several interfaces. Passed packets may also be cropped to a defined sizes:
action := ('pass' (interface_number+) ['crop' size]) | 'block'
interface_number := dec_const
size := dec_const
Interface is defined by a decimal constant or list of decimal constants from the range 0-15 possibly with negation:
action := ('pass' (interface_number+) ['crop' size]) | 'block'
interface_number := dec_const
size := dec_constProtocol is defined by a keyword 'TCP', 'UDP', 'ICMP' or a decimal number from the file /etc/protocols. It is also possible to use negation and lists of protocols:
protocol := protocol_range | list<protocol_range> protocol_range := ['!'] protocol_const protocol_const := 'tcp' | 'udp' | 'icmp' | dec_const
Source and destination address may be defined by keyword 'any' which means any address, by one IP address, by address with negation using character '!' or by address list::
src_addr := dst_addr := 'any' | ipv4_range | list<ipv4_range> ipv4_range := ['!'] ipv4_const
Mac address is defined by single address or by list of addresses:
src_mac := dst_mac := mac_const | list<mac_const>
Source and destination port may be specified by port range or by list of port ranges:
src_port := dst_port := port_range | list<port_range>
Range is defined by no operator meaning the exact specified value, by unary operators non-equal '!=', lesser '<', greater '>', lesser or equal '<=' or greater or equal '>=' and binary operators in range without borders '><', out of range '<>' or in range including borders ':':
port_range := dec_const | (('!=' | '<' | '>' | '<=' | '>=') dec_const) | (dec_const ('><' | '<>' | ':') dec_const)
TCP flags are given in the form set/checked. Individual flags are represented by their first letter. For example 'S/SA' means to check SYN and ACK, where only SYN is set:
set_flags := checked_flags := ('F' | 'S' | 'R' | 'P' | 'A' | 'U' | 'E' | 'C')
Flow ID is a user defined identifier that is returned when the rule is matched.
flowid := dec_const
Rules are evaluated from the lowest priority number to the highest. When a packet is matched by some rule, evaluation is terminated and the rule action is used.
The rule set contains every rule or table definition on a separate row. If the row would be too long, it is possible to use backslash '\' which neutralizes the immediately following newline '\n'::
filter_ruleset := row* row := [rule] '\n'
It is possible to use comments beginning with '#' and ended by the new line. Example of a simple rules:
#simple pass all traffic from interface 1 to interface 2 (software virtual interface)
10 pass 2 on 1
#pass all traffic from given IP to interface 2
20 pass 2 from 192.168.0.1
#pass all traffic from one IP to another with defined ports to interface 2
30 pass 2 from 192.168.0.1 port 4550 to 192.168.0.2 port 9660
#pass to interface 4 and crop to 400B all traffic from 147.15.2.3
40 pass 4 crop 400 from 147.15.2.3
#ports lesser than 1024
50 pass 4 crop 400 from 147.15.2.3 to any port <1024
#pass all traffic to known hosts
60 pass 1 2 3 to { 147.50.26.0/24 147.51.26.1 }
#all IPv4 packets sends to virtual interface 14 are redirected to the Ethernet interface 0 and all packets from interface 15 are redirected to Ethernet interface 1
70 pass 0 on 14
80 pass 1 on 15
#implicit block
100 block
To reduce memory requirements of the rule set try not to use negations (operator '!' for IPs and operator '!=' for ports). It is usually possible to transform the rule set into equivalent form without negations. Instead of writing:
200 pass 1 from !147.50.26.19 300 block
Write the equivalent but without negations:
200 block from 147.50.26.19 300 pass 1
Also number your rules wisely. If possible leave some rule IDs unassociated. For example when creating a new rule set leave at least hundred IDs free and use a very large number for the default rule ID:
100 pass 1 from 147.50.26.0/24 200 pass 1 from 147.50.27/24 65535 block
Using all IDs in a sequence is a bad idea, because then you will need to renumber the rules when adding a rule into the list. Example of a bad style:
1 pass 1 from 147.50.26.0/24 2 pass 1 from 147.50.27/24 3 block
Table of Contents
The following chapter describes the complete local configuration of NIFIC packet filter. When initial configuration is ready and NIFIC host PC software is set up, the NIFIC can be locally configured by a rule set file. User has to type down the rule set file and use special filter language" to specify the rules. When rule set file is typed down, it could be loaded to NIFIC by NIFIC management daemon. The following picture shows the idea of local configuration:
Usage of nific-config(1) tool is simple. The following
command loads rules described in rules.rul file into
NIFIC.
$nific-config-rrules.rul-v0
If everything goes fine and rules are loaded to NIFIC, user gets following message:
NIFIC successfully configured.
The number of rules, which could be loaded to NIFIC is limited. However, it is difficult to say the precise number of rules. So, when rules could not be loaded to NIFIC, because they don't fit there, user gets following message:
VERBOSE:-1 Abstract Data Layer daemon has reported an error (Generate process has failed) NIFIC configuration failed.
There are several methods how to locally access to packets incoming to software and how to transmit packets back to network. User has these options:
Using standard network interface (interface could be managed the same way as any other interface - eth0.. ). It could be used for both capture and transmitting. However, the througphut is limited up to 1Gbps.
For packet capturing use the libpcap library, which is widely used for packet capturing in Linux systems. This approach allows full througput to SW, which is cca 5 Gbps.
For simple testing purposes use the preprepared tools
Firstly, the already prepared tool - sze2loopback is described in section 1, than the simple description of preparing the user application is presented in section 2.
NOTE: When standard packet interface is used the throughput is decreased to just about 1Gbps, because it requires copy operation in memory of host. The usage of PCAP library has no throughput limitations.
When nific(1) script is used, it creates virtual network interfaces according to specified requirements in in nific.conf(5). If an example configuration is used, it creates two virtual network interfaces that can be controlled by ifconfig(8):
$ifconfig ceth2 ceth2 Link encap:Ethernet HWaddr 00:FF:06:2E:3A:A0 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::2ff:6ff:fe2e:3aa0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)$ifconfig ceth3 ceth3 Link encap:Ethernet HWaddr 00:FF:21:57:A7:D3 inet addr:172.16.0.1 Bcast:172.16.0.255 Mask:255.255.255.0 inet6 addr: fe80::2ff:21ff:fe57:a7d3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)
For packet capturing test user could use the tcpdump(1) tool:
$ tcpdump -i ceth2 For packet transmitting test user could use the tcpreplay(8) tool, where file packets.pcap is transmitted:
$ tcpreplay -i ceth2 packets.pcapMore detailed description of using tcpdump(1) and tcpreplay(1) tools can be found in section TODO).
Note
When user wants to transmit packets, he has to load rules, which define where should be IPv4 packets from virtual software interface re-directed. He also should set up the actions for non-IPv4 packets in nific.conf(5). For example use the following rules to make NIFIC to serve like standard network interface card (the actions for non-IPv4 packets has to be set too as shown in default nific.conf(5) file):
$ cat ./rules.user
# pass all traffic from physical interface 0 to software virtual interface 2
10 pass 2 on 0
# pass all traffic from software virtual interface 2 to physical interface 0
11 pass 0 on 2
# pass all traffic from physical interface 1 to software virtual interface 3
20 pass 3 on 1
# pass all traffic from software virtual interface 3 to physical interface 1
21 pass 1 on 3
Libpcap library description is available at http://www.tcpdump.org/.
The development of the user application for processing of packets incoming from NIFIC hardware is a simple task, because standard libpcap library could be used. User have to follow two steps:
Include the libpcap header file ( #include <pcap.h>)
Link the NIFIC libpcap library
Sze2loopback was designed for testing and development purposes. However, this tool could be used for simple visualization of incoming packets headers from NIFIC hardware.
For visualization purposes, the following command runs sze2loopback and prints "R" for every incoming packet on the screen:
$sze2loopback-R
When there is to many incoming packets user could use the -I
option, then one R is printed per 10000 packets:
$sze2loopback-R-I10000
Tool could be used also for simple visualization of incoming packets:
$sze2loopback-R-A
Table of Contents
The concept of NIFIC remote control is described in this chapter.
The following picture presents the whole system of remote configuration and packet forwarding:
The concept of remote control allows all remote tools to be run on one PC or run the tools on multiple PCs, so monitoring center could run on different PC than remote configuration.
Netopeer is a remote configuration system based on NETCONF protocol that provides remote configuration ability for any device controlled by configuration daemon. As shown on the Netopeer system scheme, the system core consists of the couple programs implementing NETCONF protocol. They are called agent and manager and they provide NETCONF message exchange. There is also next important part of the system placed on the server (agent's) side - device configuration daemon. This program cooperates with NETCONF agent and performs changes of device settings according to requests sent by NETCONF manager.
- netopeer(1)
Implements operations of NETCONF protocol on the client side. It has built-in command line interface (similar to e.g. sftp(1) program). Additionaly it is able to accept list of requested operation from batchfile and perform them. This feature can be used by some kind of frontend providing more user friendly interface of the Netopeer.
- netopeer-agent(1)
Oposite of the netopeer(1) implementing NETCONF protocol on the server side. It performs changes made on device configuration repositories and informs device configuration daemon (see below) about these changes. Communication between netopeer(1) and configuration daemon is done via D-Bus message bus system.
- nificsd(1)
It represents implementation of the Netopeer configuration daemon for the NIFIC. It is permanently running system daemon. It usually starts on system boot, initially sets up device (or any needed additional application) according to content of the Netopeer
startupconfiguration datastore. On succes it creates running configuration datastore and then waits for any request from the Netopeer agent application.
Device configuration data transferred and processed by Netopeer system have XML form. On the device host system they are stored in several types of configuration datastores. These datastores are actually regular text files somewhere in the host's file system. The location of these files is specified in /etc/liberouter/netopeer.conf configuration file (default path to these repositories is /etc/liberouter/netconf/, for more information see netopeer.conf(5) man page).
There are three types of NETCONF configuration datastores. They are called running, startup and candidate (specific filenames representing these datastores are defined in the netopeer.conf(5) configuration file). This concept follows definitions of NETCONF configuration datastores defined in RFC 4741.
- startup configuration datastore
This configuration datastore contains configuration data used at the device startup. Configuration daemon (see daemon description) reads this data at its startup and sets device parameters.
- running configuration datastore
After initial setting up according to startup configuration data, configuration daemon creates
runningconfiguration datastore and copy there a content of thestartupconfiguration datastore.runningconfiguration datastore always stores current settings of controlled device or application. Ifrunningconfiguration data are changed via Netopeer system, configuration daemon is apprised of required changes and device settings are modified immediately.runningconfiguration repository is removed on configuration daemon exit.- candidate configuration datastore
The
candidateconfiguration datastore is used to hold configuration data that can be manipulated without any impacton device current parameters. This datastore serves as a work place for creating and manipulating configuration data. Additions, deletions, and changes may be done to construct desired configuration data. A NETCONF commit operation may be performed at any time what causes update of therunningconfiguration datastore to contain settings specified in thecandidateconfiguration datastore.The user can discard any not committed changes in
candidatedatastore by executing NETCONF discard-changes operation reverting the content ofcandidatedatastore to the content ofrunningconfiguration datastore.candidatedatastore is, as well as other datastores, shared among all NETCONF sessions connected to the device host via Netopeer system. Therefore locking (by NETCONF lock operation) any datastore you are working with is highly recommended. In addition when the lock ofcandidatedatastore is released (by NETCONF unlock operation) content of the datastore is reverted to the content ofrunningdatastore.Warning
Before starting to manipulate with this datastore, it is necessary to lock it by NETCONF lock operation. If target repository of any operation is not locked, every operation locks its target repository themselves before performing any change. Target repository is again unlocked after requested operation and therefore the content of
candidatedatastore is reverted to the content ofrunningdatastore.
Definition of currently used Netopeer XML configuration schemes can be found at http://www.liberouter.org/ns/netopeer/.
Netopeer is a system application cooperating with several other system daemons and services like D-Bus or sshd(8). There is a possibility to set precise user permissions to use Netopeer configuration system by modification of netopeer.conf(5) configuration file in combination with configuration of other services. Therefore precise configuration of all components is a key part of using Netopeer configuration system.
Configuration file netopeer.conf(5) is stored in the /etc/liberouter/ directory. This file contains paths to various files used during remote configuration. You should make sure that these paths exist and the access rights enables read/write for all users you want to use Netopeer remote configuration system.
netopeer.conf(5) is actually a list of definition of environment variables.
VARNAME=VALUE
The file can contain blank lines as well as comment lines starting with '#' character that are ignored. The meaning of the variables follows.
runningThe filename (in form of absolute path) of the file storing running configuration datastore. Running configuration datastore is created by nificsd(1) when it starts. User is not supposed to create this file manually.
The file is created with read/write permissions for user and group as nificsd(1) is running. nificsd(1) is usually started at a boot time with root persmissions so only root is able to access and to change running configuration datastore. nificsd(1) program provides possibility to change its effective UID and GID by
-uand-goptions (for more info see man page of nificsd(1)). Then only set user or group is able to access created running datastore. Be sure that specified user or group has also granted read/write permissions to all files storing other Netopeer configuration datastores as well as to directories where these files are placed. Only specified user or group is then allowed to successfully configure controlled device remotely.startupThe filename (in form of absolute path) of the file storing startup configuration datastore. This file must be created manually with initial device settings. Please, make sure, that user (or group) with whom effective permissions the nificsd(1) is running is able to write and read this file. By default this file is writable only by root.
candidateThe filename (in form of absolute path) of the file storing candidate configuration datastore. This file is dynamically created and changed by netopeer-agent(1) program. Please make sure, that all users supposed to control device and use Netopeer configuration system have permissions to create a file in the directory where the candidate configuration datastore will be stored.
xsl_keysSpecifies the filename (in form of absolute path) of the file with XSL stylesheet to add key-nodes to the device XML configuration data. These key-nodes are then used by the netopeer-agent(1) program for subtree filtering. This XSL stylesheet is usually specific for used device XML data model.
Proper XSL stylesheets should be part of the nificsd(1) installation.
xsl_statsSpecifies the filename (in form of absolute path) of the file with XSL stylesheet to add nodes containing the device state information into the device running XML configuration datastore. This stylesheet is used for NETCONF get operation.
Proper XSL stylesheets should be part of the nificsd(1) installation.
D-Bus is a message bus system used for communication between applications. The Netopeer system uses D-Bus for communication between nificsd(1) and netopeer-agent(1) applications. Therefore Netopeer system requires running dbus-daemon(1). On most systems, D-Bus is already running (it's launched as a service during the system boot sequence) but you can check it by command
#servicedbusstatus
Note
Unfortunately some Linux distributions call the D-Bus service as a messagebus. So if you get error message like "No such servise dbus" please try to replace parameter dbus by messagebus in the service command.
You can also look for running dbus-daemon(1) process with --system parameter:
$psax| grep"dbus-daemon.*--system"
If the dbus-daemon(1) is not running it's necessary to start it. The simpler way is to start it as a service:
#servicedbusstart
or you can start it directly:
#dbus-daemon--system
Netopeer also installs configuration file into the D-Bus system bus configuration directory. File /etc/dbus-1/system.d/netopeer.conf contains D-Bus policy specifications for service org.liberouter.netopeer provided by Netopeer nificsd(1). Service owner should be set only to root (since only root is allowed to start nificsd(1) despite of later effective UID/GID switch). On the other hand, sending and receiving should be allowed to anybody (at least to user/group supposed to using Netopeer configuration system).
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can own the netopeer service -->
<policy user="root">
<allow own="org.liberouter.netopeer"/>
</policy>
<!-- Allow all users to invoke methods on netopeer service -->
<policy context="default">
<allow send_destination="org.liberouter.netopeer"/>
<allow receive_sender="org.liberouter.netopeer"/>
</policy>
</busconfig>
The Netopeer system uses SSH to create secured NETCONF connection between device host and administrator's PCs. To enable the NETCONF connection over SSH, you have to edit sshd(8)'s configuration file sshd_config(5).
In the sshd_config(5) configuration file you have to enable SSH connection on the port 830 (this port was assigned to the NETCONF over SSH connection by IANA. This can be done by adding following line to the configuration file.
Port 830
Warning
If you are using default SSH port 22, make sure that you have uncommented this line in the configuration file so both 830 and 22 port numbers are opened by sshd(8).
You can also use (on your own risk) any other port to establish NETCONF connection. netopeer(1) program allows to specify the port number used for the NETCONF connection (see netopeer(1) man page).
Note
If you are using iptables(8) packet filter, you have to enable incomming connections to the NETCONF's port. In case of port 830 and Red Hat's default settings of the iptables(8) following command will do the work.
#iptables-IRH-Firewall-1-INPUT1-tfilter-mstate--stateNEW-ptcp--dport830-jACCEPT
The Netopeer system uses SSH subsystem mechanism. To set netopeer-agent(1) as SSH subsystem, you have to add following line to the sshd_config(5) configuration file.
Subsystem netconf /usr/bin/netopeer-agent
Note
Note that /usr/bin/netopeer-agent is only example (but default) path of netopeer-agent(1) program. You have to use your own absolute path of this program.
The nific could be run in remote mode by:
#nific-e remote
Netopeer tool is used for remote configuration of NIFIC.It is a part of the nific-remote package and its installation is described in Chapter 3. The full manual pages of netopeer tool could be obtained by:
$mannetopeer
Netopeer uses special protocol NetCONF for NIFIC configuration. NIFIC configuration data are represented in XML form in three data stores called running, startup and candidate. Configuration data changes in configuration data stores are performed by NETCONF operations described below. These operations can be invoked in netopeer interactive mode or (for application interaction preferred way) by giving a batch file to netopeer. Batch file contains a list of requested operations for netopeer.
The rule specification in configuration, which is described further, have to be given in same format as is described in section 4.1
Next, the netopeer commands are described, followed by description of common use cases and possible errors. The full description of XML schema is available at http://www.liberouter.org/ns/netopeer/nific/1.0/
Netopeer tool is controlled by following commands:
close-session terminate NETCONF session and quit netopeer copy-config create/replace entire configuration with another delete-config delete a configuration datastorage edit-config modify part of configuration get get configuration and device state information get-config get specified configuration kill-session force the termination of a NETCONF session lock lock configuration datastorage of a device unlock release a configuration lock commit use candidate configuration as new running configuration discard-changes revert candidate configuration to the current running configuration
In the following use cases the batch file is used for storing of the commands. Netopeer tool could by called with batch file simply by:
$netopeer-bbatchfile
Netopeer tool has an obligatory parameter specifying address of the NIFIC host PC, lets say the machine demo.nific.org is our NIFIC host PC. This parameter can be extended by @ to contain ssh user login name:
$netopeerssh_user_name@demo.nific.org
If the password for the specified user is required, the password can be given 138 to netopeer by -w option to avoid asking a password by program:
$netopeerssh_user_name@demo.nific.org-wpassword
Use get-config command (in batch file) to get running configuration, the configuration is saved to output.xml:
$catbatchfileget-config running -f output.xml close-session$netopeerssh_user_name@demo.nific.org-wpassword-bbatchfile$cat./output.xml<?xml version="1.0" encoding="utf-8"?> <nific xmlns="http://www.liberouter.org/ns/netopeer/nific/1.0"> <monitorCenters> <monitorCenter> <description>My monitoring center</description> <host content-type="name">monitor.center.org</host> <port>6666</port> <protocol>tcp</protocol> <onInterface>2</onInterface> </monitorCenter> </monitorCenters> <rules> <rule> <id>100</id> <value>pass crop 400 from 10.0.0.1 to any</value> </rule> <rule> <id>200</id> <value>pass from 147.15.2.3 to any port <1024</value> </rule> <rule> <id>4000000000</id> <value>block</value> </rule> </rules> </nific>
If the "running" option is replaced by startup or candidate, user gets the startup or candidate configurations.
Completely rewrite configuration data. Use copy-config operation with local source configuration (stored in local_config.xml file) and candidate data store as a target of the operation. Then use commit operation to apply changes to the device.
$cat./local_config.xml<?xml version="1.0" encoding="utf-8"?> <nific xmlns="http://www.liberouter.org/ns/netopeer/nific/1.0"> <monitorCenters> <monitorCenter> <description>My monitoring center</description> <host content-type="name">monitor.center.org</host> <port>6666</port> <protocol>udp</protocol> <onInterface>2</onInterface> </monitorCenter> </monitorCenters> <rules> <rule> <id>100</id> <value>pass crop 400 from 10.0.0.1 to any</value> </rule> <rule> <id>200</id> <value>pass from 147.15.2.3 to any port <1024</value> </rule> <rule> <id>4000000000</id> <value>block</value> </rule> </rules> </nific>$catbatchfilelock candidate copy-config candidate -f local_config.xml commit unlock candidate close-session$netopeerssh_user_name@demo.nific.org-wpassword-bbatchfile
Use get-config NETCONF operation (in batch file) to running data store with filter to <rules> element:
$catbatchfileget-config -i filter.xml -f output.xml running close-session$catfilter.xml<?xml version="1.0" encoding="utf-8"?> <nific xmlns="http://www.liberouter.org/ns/netopeer/nific/1.0"> <rules/> </nific>$netopeerssh_user_name@demo.nific.org-wpassword-bbatchfile$cat./output.xml<?xml version="1.0" encoding="utf-8"?> <nific xmlns="http://www.liberouter.org/ns/netopeer/nific/1.0"> <rules> <rule> <id>100</id> <value>pass crop 400 from 10.0.0.1 to any</value> </rule> <rule> <id>200</id> <value>pass from 147.15.2.3 to any port <1024</value> </rule> <rule> <id>4000000000</id> <value>block</value> </rule> </rules> </nific>
$cat./edit.xml<?xml version="1.0" encoding="utf-8"?> <nific xmlns="http://www.liberouter.org/ns/netopeer/nific/1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"> <rules> <rule nc:operation="create"> <id>10000</id> <value>block to any port 80</value> </rule> <rule nc:operation="create"> <id>11000</id> <value>block to any port 8080</value> </rule> </rules> </nific>$catbatchfilelock candidate edit-config -f edit.xml candidate commit unlock candidate close-session$netopeerssh_user_name@demo.nific.org-wpassword-bbatchfile
$cat./edit.xml<?xml version="1.0" encoding="utf-8"?> <nific xmlns="http://www.liberouter.org/ns/netopeer/nific/1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"> <rules> <rule nc:operation="delete"> <id>10000</id> </rule> <rule nc:operation="delete"> <id>11000</id> </rule> </rules> </nific>$catbatchfilelock candidate edit-config -f edit.xml candidate commit unlock candidate close-session$netopeerssh_user_name@demo.nific.org-wpassword-bbatchfile
If an error occurs, netopeer in batch mode prints an error information:
$netopeerssh_user_name@demo.nific.org-wpassword-bbatchfile<error-tag> : resource-denied <error-type> : application <error-severity> : error <error-message> : Copy-config failed, unable to use repository - Permission denied
As described in section 6.1 daemon nificexp has to be run to export filtered packets to remote monitoring center. The nificexp is run by option -e when nific script is run. The monitoring center setting is propageted to the nificexp by NIFIC deamon nificsd
When packet export is set up, the monitoring center should be run to capture the filtered packets. The nific-remote package provides simple monitoring center. Monitoring center simply prints the incoming packet to the standard output. The monitoring center could be run on port 5000 with UDP selected as a container by command:
$nificmon-PUDP-l5000
Table of Contents
phyterctl(1) is a tool used to display and change configuration of interfaces available on COMBO cards. The tool displays information about link status, resolved speed or duplex mode on link. phyterctl(1) is also able to change advertised speed and duplex mode and provides r/w access to internal registers of the physical layer IC.
Example of the phyterctl(1) output:
$ phyterctl
Settings for card 0 (device /dev/combosix/0):
------------------------------ Interface 0 ---
Phyter vendor VITESSE
Phyter model VSC8486 10GbE PHY (rev 3)
Speed 10 Gb/s
Receive signal Detected
TX status Enabled
TX/RX Fault 0/0
Link status Up
------------------------------ Interface 1 ---
Phyter vendor VITESSE
Phyter model VSC8486 10GbE PHY (rev 3)
Speed 10 Gb/s
Receive signal Loss
TX status Enabled
TX/RX Fault 0/1
Link status Down
More information can be found in the phyterctl(1) man pages or in the README files placed in /usr/share/liberouter/phyterctl/ directory.
Note
phyterctl(1) needs some operational design to be booted in the card.tempctl(1) is a tool used for reading the temperature of both Combo6X and ComboV2 card families. It can also be used for setting up parameters of temperature sensors. When run without any parameters, the ambient temperature on all sensors (Combo6X) or interfaces (ComboV2) is displayed.
The maximum temperature limit inside FPGA is 80°C.
For temperature measuring on this type of ComboV2 cards the internal sensor inside the FPGA is used. Its functionality is under construction.
For temperature measuring on this type of ComboV2 cards the TCN75A temperature sensors are used. Each sensor is connected via the same I2C bus as ID Chip and transceivers. Each interface contains one sensor. Physically the sensors are located between the cards near the phyter. Using tempctl the ambient temperature can be read, further on both hysteresis and limit temperature can be either read or set.
Table of Contents
The following chapter presents some useful use cases for NIFIC packet filter.
All described use cases are part of the nific package. After installation of the
package they are available in directory TODO. Each use case provides
specific readme.txt file with step-by-step description
how to set and try it.
Sometimes could be useful to know not only the IP addresses of web servers, which are visited by users in your network, but also the virtual servers behind these IPs. NIFIC packet filter in a local mode could be used as web access analyzer with this functionality. NIFIC host PC should be connected to the output line of your network by TAP device:
When NIFIC host PC is connected to the network, we configure it. First of all, the httpry tool have to be downloaded and compiled on the NIFIC host PC:
$wget http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz$tar -xzvf httpry-0.1.5.tar.gz$cd ./httpry-0.1.5$make
The next step is the correct setting of NIFIC packet filter. We start with definition of the filtration rules:
100 pass 2 crop 300 on 0 proto tcp from any to any port 80 200 pass 3 crop 300 on 1 proto tcp from any to any port 80 10000 block
The rule says: send to interface 2 every TCP packet incoming from interface 0 with destination port 80 and crop this packet to 300B. The second rule says the dame for port 1. The rules filtrate only cropped web accesses from your network to web servers. Because the rules should not be changed the set should be placed directly to the /etc/liberouter/nific.rules, this rule set will be loaded when nific(1) script is run.
The actions for non-IPv4 packets have to be set up to discard any non-IPv4 traffic.
# # Default NON IPv4 Action # # ceth* interface 15 10 9 8 7 6 5 4 3 2 1 0 crop size DEF_NON_IPV4_IFC0="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC1="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC2="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC3="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC4="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC5="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC6="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC7="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC8="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC9="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC10="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC11="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC12="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC13="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC14="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" DEF_NON_IPV4_IFC15="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
The next step is the preparation of the standard network interface in nific.conf(5). file, this simple use case use just one standard interface:
..... # INPUT OUTPUT VIF0="2 2" VIF0_NAME="ceth2" VIF1="3 3" VIF1_NAME="ceth3"
We can set the IP address and the mask at will, because no packets are send by NIFIC host PC in this use case. Now, all configuration steps are completed and the nific.conf(5) script could be run:
$nificlocal
The scripts loads the design, sets up it, loads the rules and sets up network interfaces. Finally, the httpry tool could be run with correct interface:
$ ./httpry -i ceth2
Here you can see example output of httpry tool detecting request for www.google.com.
2009-09-14 12:37:08 147.251.21.227 74.125.87.147 > GET www.google.com / HTTP/1.1 - - 2009-09-14 12:37:08 74.125.87.147 147.251.21.227 < - - - HTTP/1.1 302 Found 2009-09-14 12:37:08 147.251.21.227 74.125.87.105 > GET www.google.cz / HTTP/1.1 - - 2009-09-14 12:37:08 74.125.87.105 147.251.21.227 < - - - HTTP/1.1 200 OK 2009-09-14 12:37:09 147.251.21.227 74.125.87.100 > GET clients1.google.cz /generate_204 HTTP/1.1 - - 2009-09-14 12:37:09 74.125.87.100 147.251.21.227 < - - - HTTP/1.1 204 No Content 2009-09-14 12:37:09 147.251.21.227 74.125.87.105 > GET www.google.cz /csi?v=3&s=webhp&action=&tran=undefined&e=17259,21480,21486,21685,21766&ei=0xyuSs7YC4T1_Aa62qiHBg&rt=prt.45,xjs.224,ol.330 HTTP/1.1 - - 2009-09-14 12:37:09 74.125.87.105 147.251.21.227 < - - - HTTP/1.1 204 No Content
The number of incoming packets could be reduce by selecting a sub network or only simple IP address. If users wants to overwrite default rules he should create the file with rule and put there rules, which he wants and call the nific-config(1) tool.:
$cat ./rules.user 0 pass 2 crop 300 on 0 proto tcp from 147.21.15.3 to any port 80$nific-config -r rules.user
The loaded rule is forwarding incomming packets from IP 147.21.15.3 to the software interface 2.
This use-case shows how NIFIC could be configured to behave like dual port standard NIC. Data from physical interface 0 is sent to software virtual interface 2 and vice-versa. Data from physical interface 1 is sent to software virtual interface 3 and vice-versa.
The use-case is prepared for the situation, where port 0 is connected to the 10.0.0.0/24 network and port1 to 172.16.0.0/24.
Firsty, the rules have to be set up. The rules could be directly put into /etc/liberouter/nific.rules
# pass all traffic from physical interface 0 to software virtual interface 2
10 pass 2 on 0
# pass all traffic from software virtual interface 2 to physical interface 0
11 pass 0 on 2
# pass all traffic from physical interface 1 to software virtual interface 3
20 pass 3 on 1
# pass all traffic from software virtual interface 3 to physical interface 1
21 pass 1 on 3
Next, the actions for non-IPv4 packets have to be set up the same way as rules defines actions for IPv4 packets. The non-IPv4 actions are defined in etc/liberouter/nific.conf
#
# Default NON IPv4 Action
#
# ceth* interface 15 10 9 8 7 6 5 4 3 2 1 0 crop size
DEF_NON_IPV4_IFC0="0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0"
DEF_NON_IPV4_IFC1="0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0"
DEF_NON_IPV4_IFC2="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0"
DEF_NON_IPV4_IFC3="0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0"
DEF_NON_IPV4_IFC4="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC5="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC6="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC7="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC8="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC9="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC10="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC11="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC12="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC13="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC14="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC15="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
Finally, the virtual interfaces have to be set up in etc/liberouter/nific.conf.
VIF0="2 2 10.0.0.1 255.255.255.0"
VIF0_NAME="ceth2"
VIF1="3 3 172.16.0.1 255.255.255.0"
VIF1_NAME="ceth3"
When everything is set up, NIFIC as dual-port NIC could be run by:
$nificlocal
We setup NIFIC to serve as VoIP (SIP) analyzer. It transparently passes all traffic but only interesting part of the whole traffic is copied to the software interface where further analysis using Wireshark is done. Interesting part of the traffic is defined as UDP or TCP packets with destination port 5060. Such packets refers to SIP (Session Initiation Protocol) protocol used for VoIP. Note that SIP traffic is copied from both physical interfaces to single software interface 2. The use case presents the situation, when NIFIC is inserted directly to the line and no TAP is used.
Firsty, the rules have to be set up. The rules could be directly put into /etc/liberouter/nific.rules
100 pass 1 2 on 0 proto {udp, tcp} from any to any port 5060
200 pass 0 2 on 1 proto {udp, tcp} from any to any port 5060
300 pass 1 on 0
400 pass 0 on 1
The rules say: capture UDP or TCP packets with destination port 5060 (which is SIP traffic) going from any source IP to any destination IP. All traffic is also passed through NIFIC, so NIFIC is completly transparent.
Next, the actions for non-IPv4 packets have to be set up the same way as rules defines actions for IPv4 packets. The non-IPv4 actions are defined in etc/liberouter/nific.conf.
# ceth* interface 15 10 9 8 7 6 5 4 3 2 1 0 crop size
DEF_NON_IPV4_IFC0="0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0"
DEF_NON_IPV4_IFC1="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0"
DEF_NON_IPV4_IFC2="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC3="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC4="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC5="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC6="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC7="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC8="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC9="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC10="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC11="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC12="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC13="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC14="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
DEF_NON_IPV4_IFC15="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
The actions are defined only for interface 0 and interaface 1, the non-IPv4 are redirected the same way as the IPv4 packets: packets from interface 0 are re-directed to interface 1 and vice-versa.
Finally, the virtual interface have to be set up in etc/liberouter/nific.conf.
VIF0="2 2"
VIF0_NAME="ceth2"
Wireshark could be downloaded and build by:
$wgethttp://media-2.cacetech.com/wireshark/src/wireshark-1.2.2.tar.bz2$tar-x -fwireshark-1.2.2.tar.bz2$cdwireshark-1.2.2$./configure$make
Wireshark is run by:
$ ./wireshark
In menu go to Capture -> Options and select ceth2 as Capture interface. Start capturing by Start button. Finally, go in menu to Telephony -> VoIP Calls, where you can analyze VoIP calls.
The following list summarizes all known bugs and issues, the bugs will be fixed either as bug fixes or will be solved in the next version of NIFIC:
We would like to acknowledge and thank to developers who contributed to the NIFIC project. The list of NIFIC developers in alphabetical order follows:
- Configuration software.
- Firmware, project leader.
- Firmware.
- Configuration software.
- Firmware.
- Startup scripts, remote configuration, packages.
- Configuration software, packages.
- Firmware, founder of current NIFIC.
- Configuration software.
- Testing.
- Configuration software.
Table of Contents
[RFC 4741] Copyright © 2006. IETF. NETCONF Configuration Protocol, http://tools.ietf.org/html/rfc4741 .
[RFC 4742] Copyright © 2006. IETF. Using the NETCONF Configuration Protocol over Secure SHell (SSH), http://tools.ietf.org/html/rfc4742 .