New target to control a fake network interface

New target to control a fake network interface

[Corey Giovanella]

Hi all,

I just finished some code I've been working on and I figured I'd post a
message here incase anyone is interested in using it.

What I have done is written two new kernel modules: a fake network
interface module and a new iptables target that remote controls the
packet counters on the fake interface.  The fake interface itself, does
nothing.

The idea just kinda of came to me when I was looking at network drivers
for another idea I was thinking about.  Being able to represent packets
matched using a network interface seemed to be something that could be
useful.  I figure there are lots of programs that show graphs and things
of nic's in your computer, this would plug into them nicely.

For example I use this so I can view internet traffic separately from my
local lan traffic in Gkrellm.  

I've posted the source and perhaps a better description on my web site:
http://challenge-engineering.com/~corey/projects/fake_if/

any thoughts or feed back of any form would be appreciated.

-- 
Corey Giovanella <coreygiovanella@challenge-engineering.com>
www.challenge-engineering.com/~corey/

Re: New target to control a fake network interface

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1551 bytes --]

On Tue, Jun 21, 2005 at 02:12:33AM +0000, Corey Giovanella wrote:
> Hi all,
> 
> I just finished some code I've been working on and I figured I'd post a
> message here incase anyone is interested in using it.

sure, I agree that it's good to draw people's attention to this.

> What I have done is written two new kernel modules: a fake network
> interface module and a new iptables target that remote controls the
> packet counters on the fake interface.  The fake interface itself, does
> nothing.

mh.  I'm not sure whether I like this idea (cool hack) or whether I'd
rather say: Fix the userspace programs.

I think I have a general tendency towards the 'cool hack' side ;)

> For example I use this so I can view internet traffic separately from my
> local lan traffic in Gkrellm.  

well, I would rather say it's interesting for DROP'ed packets.  This way
you can see how much of your current inbound (or outbound) traffic gets
dropped..

I haven't yet looked at the code, since I'm currently travelling and
have only offline email access.  Consider this as a general call: "mail
all code in plain text to this list rather than sending URL's".

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: New target to control a fake network interface

[Jan Engelhardt]

>What I have done is written two new kernel modules: a fake network
>interface module and a new iptables target that remote controls the

NTS, there is already a fake interface module: called dummy.ko

>packet counters on the fake interface.  The fake interface itself, does
>nothing.


Jan Engelhardt                                                               
--                                                                            
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de

Re: New target to control a fake network interface

[Kenneth Porter]

--On Tuesday, June 21, 2005 2:12 AM +0000 Corey Giovanella 
<coreygiovanella@challenge-engineering.com> wrote:

> I've posted the source and perhaps a better description on my web site:
> http://challenge-engineering.com/~corey/projects/fake_if/

You're echoing iptables packet counts into a fake interface to make it 
available to an existing graphical monitor application. The app has a 
plugin system, so wouldn't it be better to write an iptables plugin for it? 
What's the advantage of copying the counters to another kernel object?

The fake interface is an interesting object but maybe not the best solution 
for this particular problem.

Given a general iptables plugin, this would make a good replacement for 
ntop as a packet-counting protocol analyzer. I find ntop (which uses 
libpcap) a bit "heavyweight" for just counting packets, as it also does 
deep analysis of their content and hence uses a fair amount of memory and 
CPU. (ntop also exposes the data via web interface, which is nice for 
non-Linux clients.)

Re: New target to control a fake network interface

[Corey Giovanella]

> You're echoing iptables packet counts into a fake interface to make it 
> available to an existing graphical monitor application. The app has a 
> plugin system, so wouldn't it be better to write an iptables plugin for it? 

Yes, you are quite possibly right.  If my only concern was gkreallm a
plugging would probably have been better.  One reason I did it this way
was to do some kernel level programing, and to play around with
iptables.  Also, this seems like a much more general solution that could
be used for other things and in other apps if someone wanted to.  for
example, it works with ifconfig.

> What's the advantage of copying the counters to another kernel object?

I'm not sure if you are asking why I wrote this as two modules or
something else.  I'm pretty sure I could have made it all into one
kernel module.  At the time I just thought that would have made life a
bit more difficult and complicated to make it one module.

> The fake interface is an interesting object but maybe not the best solution 
> for this particular problem.

I agree, it's probably not the best if the problem was just with
gkrellm.  A gkrellm plugin would have been much better.  I went the way
I did for the reasons mentioned above.

> Given a general iptables plugin, this would make a good replacement for 
> ntop as a packet-counting protocol analyzer. I find ntop (which uses 
> libpcap) a bit "heavyweight" for just counting packets, as it also does 
> deep analysis of their content and hence uses a fair amount of memory and 
> CPU. (ntop also exposes the data via web interface, which is nice for 
> non-Linux clients.)

Thank you for the feedback.
-- 
Corey Giovanella <coreygiovanella@challenge-engineering.com>
www.challenge-engineering.com/~corey/

Re: New target to control a fake network interface

[Corey Giovanella]

> mh.  I'm not sure whether I like this idea (cool hack) or whether I'd
> rather say: Fix the userspace programs.
> 
> I think I have a general tendency towards the 'cool hack' side ;)
> 

Yes, I would say it is a 'cool hack' rather then a good solution.  I
would actually describe this as a hack solution to a personal minor
annoyance.

> well, I would rather say it's interesting for DROP'ed packets.  This way
> you can see how much of your current inbound (or outbound) traffic gets
> dropped..

yes, that would be neat.

> I haven't yet looked at the code, since I'm currently travelling and
> have only offline email access.  Consider this as a general call: "mail
> all code in plain text to this list rather than sending URL's".

I wasn't quite sure if I should include the code in my original message
or not and couldn't find anything about how to go about making new
announcements.  Most people seem to be sending in patches or single
files from what I've seen (though I haven't been paying close
attention).  I made the URL choice for a few reasons.  One of the main
ones being I really don't think many people will be interested in this.
I just didn't feel like sending all the people on this list code they
most likely wouldn't be interested in.

If you like I could mail the tar.gz out to the list now.  Just let me
know.

Thanks for the feedback.
-- 
Corey Giovanella <coreygiovanella@challenge-engineering.com>
www.challenge-engineering.com/~corey/

Re: New target to control a fake network interface

[Patrick Schaaf]

On Fri, Jun 24, 2005 at 04:12:01AM +0000, Corey Giovanella wrote:
> > You're echoing iptables packet counts into a fake interface to make it 
> > available to an existing graphical monitor application. The app has a 
> > plugin system, so wouldn't it be better to write an iptables plugin for it? 
> 
> Yes, you are quite possibly right.  If my only concern was gkreallm a
> plugging would probably have been better.  One reason I did it this way
> was to do some kernel level programing, and to play around with
> iptables.  Also, this seems like a much more general solution that could
> be used for other things and in other apps if someone wanted to.  for
> example, it works with ifconfig.

If that idea is so wonderful, wouldn't it be wonderful to be able
to get at context switch counts, CPU usage, and all other kinds of
things representable by some counters, through a suitable fiddled-in
fake network interface?

What would be useful, is a packet/byte count aggregator infrastructure
where iptables rules can tell when to count into which bucket(s),
and where userlevel can efficiently read one or all buckets.

Having that readable through /proc/net/dev and all other interfaces
which show network devices, however, strikes me as bad abuse of
well-known stuff meant for different purposes (than accounting in
a fancy new way).

Just my opinion, of course.

best regards
  Patrick