Retain QoS values on a pass-through node

Retain QoS values on a pass-through node

[Danushka Menikkumbura]

Hi,

I am trying to use a Linux box as a pass-through node using rinetd as
a port forwarding mechanism. I see that TOS is always zero on the
egress path so that my receiver does not receive the TOS values I set
on the sender.

Is there a way to solve this issue?. Maybe rinetd does not copy the
values properly?.

Probably there is a better/smarter way to do port forwarding (getting
my Linux box to work just as a pass-through node). Please let me know
if there is any other way to do that.

Thanks,
Danushka

Re: Retain QoS values on a pass-through node

[Martin A. Brown]

Hello Danushka,

>I am trying to use a Linux box as a pass-through node using rinetd 
>as a port forwarding mechanism. I see that TOS is always zero on 
>the egress path so that my receiver does not receive the TOS values 
>I set on the sender.

Do you need the TCP session to be terminated in userspace (and 
re-initiated)?  That's what's happening with rinetd.  You are using 
it as a TCP proxy.  The Linux box is acting as a (TCP) receiver on 
one side, and initiating a brand new TCP connection outbound.  
That's why the ToS value is changing.

Next question:  When you say 'pass-through' node, I am not certain 
what you mean.  Do you want your Linux box to act like a router?
If so, then, that's very easy:

  sysctl -w net.ipv4.ip_forward=1

Now, you have a router.  Send packets to the ultimate destination 
from your sender node.  Make sure that you configure your routes 
properly (maybe that's already done).

>Is there a way to solve this issue?. Maybe rinetd does not copy the
>values properly?.

I do not know rinetd.  Perhaps somebody else does.

>Probably there is a better/smarter way to do port forwarding (getting
>my Linux box to work just as a pass-through node). Please let me know
>if there is any other way to do that.

How many values are you changing in the packet?  Just the 
destination port?  Also the destination address?

I'm thinking that iptables NAT may provide you a solution.  Assuming 
you are just messing with the destination address and port, you 
should be able to use iptables DNAT.  I'd suggest reading these:

  http://linux-ip.net/html/nat-dnat.html
  https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html

Good luck,

-Martin

-- 
Martin A. Brown
http://linux-ip.net/

Re: Retain QoS values on a pass-through node

[Danushka Menikkumbura]

Hello Martin,

Thanks a lot for your quick reply.

When I say "pass-through" node yes I mean the behavior of a router but
in this case my sender(s), pass-through node (i.e. router) and
receiver are all in the same subnet. In other words, the pass-through
node does not bridge two subnets. I hope you get the picture.

Basically what I am trying to do is to stress the pass-through node to
test the performance of a Qdisc that I am currently working on.

Can I follow the pointers given by you to have a setup like that?.

I really appreciate your help as I am kind of stuck with this.

Thanks,
Danushka

On Tue, Dec 1, 2015 at 10:10 AM, Martin A. Brown <martin@linux-ip.net> wrote:
>
> Hello Danushka,
>
>>I am trying to use a Linux box as a pass-through node using rinetd
>>as a port forwarding mechanism. I see that TOS is always zero on
>>the egress path so that my receiver does not receive the TOS values
>>I set on the sender.
>
> Do you need the TCP session to be terminated in userspace (and
> re-initiated)?  That's what's happening with rinetd.  You are using
> it as a TCP proxy.  The Linux box is acting as a (TCP) receiver on
> one side, and initiating a brand new TCP connection outbound.
> That's why the ToS value is changing.
>
> Next question:  When you say 'pass-through' node, I am not certain
> what you mean.  Do you want your Linux box to act like a router?
> If so, then, that's very easy:
>
>   sysctl -w net.ipv4.ip_forward=1
>
> Now, you have a router.  Send packets to the ultimate destination
> from your sender node.  Make sure that you configure your routes
> properly (maybe that's already done).
>
>>Is there a way to solve this issue?. Maybe rinetd does not copy the
>>values properly?.
>
> I do not know rinetd.  Perhaps somebody else does.
>
>>Probably there is a better/smarter way to do port forwarding (getting
>>my Linux box to work just as a pass-through node). Please let me know
>>if there is any other way to do that.
>
> How many values are you changing in the packet?  Just the
> destination port?  Also the destination address?
>
> I'm thinking that iptables NAT may provide you a solution.  Assuming
> you are just messing with the destination address and port, you
> should be able to use iptables DNAT.  I'd suggest reading these:
>
>   http://linux-ip.net/html/nat-dnat.html
>   https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html
>
> Good luck,
>
> -Martin
>
> --
> Martin A. Brown
> http://linux-ip.net/

Re: Retain QoS values on a pass-through node

[Danushka Menikkumbura]

And FYI I am using 2 virtual machines (sender, pass-through) and my
host machine (receiver) just to start with. I am planning to have a
physical setup similar to that later on.

Thanks,
Danushka

On Tue, Dec 1, 2015 at 10:43 AM, Danushka Menikkumbura
<danushka.menikkumbura@gmail.com> wrote:
> Hello Martin,
>
> Thanks a lot for your quick reply.
>
> When I say "pass-through" node yes I mean the behavior of a router but
> in this case my sender(s), pass-through node (i.e. router) and
> receiver are all in the same subnet. In other words, the pass-through
> node does not bridge two subnets. I hope you get the picture.
>
> Basically what I am trying to do is to stress the pass-through node to
> test the performance of a Qdisc that I am currently working on.
>
> Can I follow the pointers given by you to have a setup like that?.
>
> I really appreciate your help as I am kind of stuck with this.
>
> Thanks,
> Danushka
>
> On Tue, Dec 1, 2015 at 10:10 AM, Martin A. Brown <martin@linux-ip.net> wrote:
>>
>> Hello Danushka,
>>
>>>I am trying to use a Linux box as a pass-through node using rinetd
>>>as a port forwarding mechanism. I see that TOS is always zero on
>>>the egress path so that my receiver does not receive the TOS values
>>>I set on the sender.
>>
>> Do you need the TCP session to be terminated in userspace (and
>> re-initiated)?  That's what's happening with rinetd.  You are using
>> it as a TCP proxy.  The Linux box is acting as a (TCP) receiver on
>> one side, and initiating a brand new TCP connection outbound.
>> That's why the ToS value is changing.
>>
>> Next question:  When you say 'pass-through' node, I am not certain
>> what you mean.  Do you want your Linux box to act like a router?
>> If so, then, that's very easy:
>>
>>   sysctl -w net.ipv4.ip_forward=1
>>
>> Now, you have a router.  Send packets to the ultimate destination
>> from your sender node.  Make sure that you configure your routes
>> properly (maybe that's already done).
>>
>>>Is there a way to solve this issue?. Maybe rinetd does not copy the
>>>values properly?.
>>
>> I do not know rinetd.  Perhaps somebody else does.
>>
>>>Probably there is a better/smarter way to do port forwarding (getting
>>>my Linux box to work just as a pass-through node). Please let me know
>>>if there is any other way to do that.
>>
>> How many values are you changing in the packet?  Just the
>> destination port?  Also the destination address?
>>
>> I'm thinking that iptables NAT may provide you a solution.  Assuming
>> you are just messing with the destination address and port, you
>> should be able to use iptables DNAT.  I'd suggest reading these:
>>
>>   http://linux-ip.net/html/nat-dnat.html
>>   https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html
>>
>> Good luck,
>>
>> -Martin
>>
>> --
>> Martin A. Brown
>> http://linux-ip.net/

Re: Retain QoS values on a pass-through node

[Erik Auerswald]

Hi,

On Tue, Dec 01, 2015 at 07:10:25AM -0800, Martin A. Brown wrote:
> 
> Hello Danushka,
> 
> >I am trying to use a Linux box as a pass-through node using rinetd 
> >as a port forwarding mechanism. I see that TOS is always zero on 
> >the egress path so that my receiver does not receive the TOS values 
> >I set on the sender.
> 
> Do you need the TCP session to be terminated in userspace (and 
> re-initiated)?  That's what's happening with rinetd.  You are using 
> it as a TCP proxy.  The Linux box is acting as a (TCP) receiver on 
> one side, and initiating a brand new TCP connection outbound.  
> That's why the ToS value is changing.
> 
> Next question:  When you say 'pass-through' node, I am not certain 
> what you mean.  Do you want your Linux box to act like a router?
> If so, then, that's very easy:
> 
>   sysctl -w net.ipv4.ip_forward=1
> 
> Now, you have a router.  Send packets to the ultimate destination 
> from your sender node.  Make sure that you configure your routes 
> properly (maybe that's already done).
> 
> >Is there a way to solve this issue?. Maybe rinetd does not copy the
> >values properly?.
> 
> I do not know rinetd.  Perhaps somebody else does.
> 
> >Probably there is a better/smarter way to do port forwarding (getting
> >my Linux box to work just as a pass-through node). Please let me know
> >if there is any other way to do that.
> 
> How many values are you changing in the packet?  Just the 
> destination port?  Also the destination address?
> 
> I'm thinking that iptables NAT may provide you a solution.  Assuming 
> you are just messing with the destination address and port, you 
> should be able to use iptables DNAT.  I'd suggest reading these:
> 
>   http://linux-ip.net/html/nat-dnat.html
>   https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html

I am using the above ideas for TCP port forwarding, it is basically:

- Destination NAT in the PREROUTING chain for packets going through the
  box (ip forwarding needs to be enabled)
- Destination NAT in the OUTPUT chain for local testing of the port
  forwarding
- Masquerading to have symmetric traffic flow and easier firewalling for
  the systems the ports are forwarded to

I use this to forward console server sessions to a bunch of individual
console servers. Clients connect to the IP of the port forwarder. There a
numbering scheme is used to easily identify the machine to connect to, and
the TCP session is forwarded to the correct physical console server.

You can leave out any parts you do not need for you use case. ;-)

Anyway, for testing routing performance, I'd go with a setup using two
interfaces on the "router" which are in different subnets, and connect one
of those to the "receiver", the other to the "sender". IP connections from
sender to receiver need to use the router.

For testing network stuff on one machine, network namespaces come in handy.
You can experiment with the "ip netns" command set to create virtual
interfaces in different network namespaces that cannot communicate directly
with each other. You can then add a router in the global namespace to
connect them (or use VLANs and a bridge to get them to an externam router).
No need for full VMs. ;-)

HTH,
Erik
-- 
Thanks to the virtue of me personally not caring one whit about
virtualization, I can stand back and just watch the fireworks.
                        -- Linus Torvalds

Re: Retain QoS values on a pass-through node

[Danushka Menikkumbura]

Hi Erik,

I am happy to look into the network namespace-based approach that you
have mentioned but before that I tried to use DNAT on my Linux box but
ended up having the following error.

iptables v1.4.21: can't initialize iptables table `nat': Table does
not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Please note that I used a kernel source version (3.19.8-ckt5+) to
compile and install iptables module using "menuconfig" (Networking
support > Networking options > Network packet filtering framework
(Netfilter) > IP: Netfilter Configuration > IP tables support
(required for filtering/masq/NAT)).

Could you shed some light on this please?

Thanks,
Danushka

On Tue, Dec 1, 2015 at 11:24 AM, Erik Auerswald
<auerswal@unix-ag.uni-kl.de> wrote:
> Hi,
>
> On Tue, Dec 01, 2015 at 07:10:25AM -0800, Martin A. Brown wrote:
>>
>> Hello Danushka,
>>
>> >I am trying to use a Linux box as a pass-through node using rinetd
>> >as a port forwarding mechanism. I see that TOS is always zero on
>> >the egress path so that my receiver does not receive the TOS values
>> >I set on the sender.
>>
>> Do you need the TCP session to be terminated in userspace (and
>> re-initiated)?  That's what's happening with rinetd.  You are using
>> it as a TCP proxy.  The Linux box is acting as a (TCP) receiver on
>> one side, and initiating a brand new TCP connection outbound.
>> That's why the ToS value is changing.
>>
>> Next question:  When you say 'pass-through' node, I am not certain
>> what you mean.  Do you want your Linux box to act like a router?
>> If so, then, that's very easy:
>>
>>   sysctl -w net.ipv4.ip_forward=1
>>
>> Now, you have a router.  Send packets to the ultimate destination
>> from your sender node.  Make sure that you configure your routes
>> properly (maybe that's already done).
>>
>> >Is there a way to solve this issue?. Maybe rinetd does not copy the
>> >values properly?.
>>
>> I do not know rinetd.  Perhaps somebody else does.
>>
>> >Probably there is a better/smarter way to do port forwarding (getting
>> >my Linux box to work just as a pass-through node). Please let me know
>> >if there is any other way to do that.
>>
>> How many values are you changing in the packet?  Just the
>> destination port?  Also the destination address?
>>
>> I'm thinking that iptables NAT may provide you a solution.  Assuming
>> you are just messing with the destination address and port, you
>> should be able to use iptables DNAT.  I'd suggest reading these:
>>
>>   http://linux-ip.net/html/nat-dnat.html
>>   https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html
>
> I am using the above ideas for TCP port forwarding, it is basically:
>
> - Destination NAT in the PREROUTING chain for packets going through the
>   box (ip forwarding needs to be enabled)
> - Destination NAT in the OUTPUT chain for local testing of the port
>   forwarding
> - Masquerading to have symmetric traffic flow and easier firewalling for
>   the systems the ports are forwarded to
>
> I use this to forward console server sessions to a bunch of individual
> console servers. Clients connect to the IP of the port forwarder. There a
> numbering scheme is used to easily identify the machine to connect to, and
> the TCP session is forwarded to the correct physical console server.
>
> You can leave out any parts you do not need for you use case. ;-)
>
> Anyway, for testing routing performance, I'd go with a setup using two
> interfaces on the "router" which are in different subnets, and connect one
> of those to the "receiver", the other to the "sender". IP connections from
> sender to receiver need to use the router.
>
> For testing network stuff on one machine, network namespaces come in handy.
> You can experiment with the "ip netns" command set to create virtual
> interfaces in different network namespaces that cannot communicate directly
> with each other. You can then add a router in the global namespace to
> connect them (or use VLANs and a bridge to get them to an externam router).
> No need for full VMs. ;-)
>
> HTH,
> Erik
> --
> Thanks to the virtue of me personally not caring one whit about
> virtualization, I can stand back and just watch the fireworks.
>                         -- Linus Torvalds

Re: Retain QoS values on a pass-through node

[Erik Auerswald]

Hello Danushka,

On Tue, Dec 01, 2015 at 03:29:33PM -0500, Danushka Menikkumbura wrote:
> Hi Erik,
> 
> I am happy to look into the network namespace-based approach that you
> have mentioned but before that I tried to use DNAT on my Linux box but
> ended up having the following error.
> 
> iptables v1.4.21: can't initialize iptables table `nat': Table does
> not exist (do you need to insmod?)

That error message hints at a missing module. On my Ubuntu system with NAT
I have the following related modules loaded:

iptable_nat
nf_nat
nf_conntrack_ipv4
nf_conntrack
nf_defrag_ipv4
iptable_filter
ip_tables
x_tables

> Perhaps iptables or your kernel needs to be upgraded.
> 
> Please note that I used a kernel source version (3.19.8-ckt5+) to
> compile and install iptables module using "menuconfig" (Networking
> support > Networking options > Network packet filtering framework
> (Netfilter) > IP: Netfilter Configuration > IP tables support
> (required for filtering/masq/NAT)).
> 
> Could you shed some light on this please?

If you are compiling your own kernel, be sure to include all features you
need. I'd advise to use distribution kernels unless you know how to
configure a kernel to fit your needs.

Best regards,
Erik
-- 
I think of math as a splendid way to learn to think straight.
                        -- Bjarne Stroustrup

Re: Retain QoS values on a pass-through node

[Danushka Menikkumbura]

Hi Erik,

Thanks a lot for the tips. I managed to configure my kernel build to
include all the required modules and now I don't see the error.

Anyway I still cannot get my client (192.168.0.107) to talk to the
server (192.168.0.106) through the router (192.168.0.103). I used the
following commands on the router node to add DNAT and SNAT rules.

sudo iptables -t nat -A PREROUTING -d 192.168.0.103 -j DNAT
--to-destination 192.168.0.106
sudo iptables -t nat -A POSTROUTING -s 192.168.0.106 -j SNAT
--to-source 192.168.0.103

Also when I ping 192.168.0.103 (router) from 192.168.0.107 (client) I
see that the packets are actually coming from 192.168.0.106 (server).

PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
64 bytes from 192.168.0.106: icmp_seq=1 ttld time=0.816 ms
64 bytes from 192.168.0.106: icmp_seq=2 ttld time=0.616 ms
64 bytes from 192.168.0.106: icmp_seq=3 ttld time=0.465 ms

It looks to me that SNAT is not working properly?. Do you see
something wrong with what I have done?.

Thanks and Regards,
Danushka

On Wed, Dec 2, 2015 at 3:22 AM, Erik Auerswald
<auerswal@unix-ag.uni-kl.de> wrote:
> Hello Danushka,
>
> On Tue, Dec 01, 2015 at 03:29:33PM -0500, Danushka Menikkumbura wrote:
>> Hi Erik,
>>
>> I am happy to look into the network namespace-based approach that you
>> have mentioned but before that I tried to use DNAT on my Linux box but
>> ended up having the following error.
>>
>> iptables v1.4.21: can't initialize iptables table `nat': Table does
>> not exist (do you need to insmod?)
>
> That error message hints at a missing module. On my Ubuntu system with NAT
> I have the following related modules loaded:
>
> iptable_nat
> nf_nat
> nf_conntrack_ipv4
> nf_conntrack
> nf_defrag_ipv4
> iptable_filter
> ip_tables
> x_tables
>
>> Perhaps iptables or your kernel needs to be upgraded.
>>
>> Please note that I used a kernel source version (3.19.8-ckt5+) to
>> compile and install iptables module using "menuconfig" (Networking
>> support > Networking options > Network packet filtering framework
>> (Netfilter) > IP: Netfilter Configuration > IP tables support
>> (required for filtering/masq/NAT)).
>>
>> Could you shed some light on this please?
>
> If you are compiling your own kernel, be sure to include all features you
> need. I'd advise to use distribution kernels unless you know how to
> configure a kernel to fit your needs.
>
> Best regards,
> Erik
> --
> I think of math as a splendid way to learn to think straight.
>                         -- Bjarne Stroustrup

Re: Retain QoS values on a pass-through node

[Danushka Menikkumbura]

Hi Erik,

I managed to get it to work after setting DNAT/SNAT rules for each hop
in my 3-node setup.

Thanks a lot for all your help and support.

Best,
Danushka

On Wed, Dec 2, 2015 at 1:04 PM, Danushka Menikkumbura
<danushka.menikkumbura@gmail.com> wrote:
> Hi Erik,
>
> Thanks a lot for the tips. I managed to configure my kernel build to
> include all the required modules and now I don't see the error.
>
> Anyway I still cannot get my client (192.168.0.107) to talk to the
> server (192.168.0.106) through the router (192.168.0.103). I used the
> following commands on the router node to add DNAT and SNAT rules.
>
> sudo iptables -t nat -A PREROUTING -d 192.168.0.103 -j DNAT
> --to-destination 192.168.0.106
> sudo iptables -t nat -A POSTROUTING -s 192.168.0.106 -j SNAT
> --to-source 192.168.0.103
>
> Also when I ping 192.168.0.103 (router) from 192.168.0.107 (client) I
> see that the packets are actually coming from 192.168.0.106 (server).
>
> PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
> 64 bytes from 192.168.0.106: icmp_seq=1 ttld time=0.816 ms
> 64 bytes from 192.168.0.106: icmp_seq=2 ttld time=0.616 ms
> 64 bytes from 192.168.0.106: icmp_seq=3 ttld time=0.465 ms
>
> It looks to me that SNAT is not working properly?. Do you see
> something wrong with what I have done?.
>
> Thanks and Regards,
> Danushka
>
> On Wed, Dec 2, 2015 at 3:22 AM, Erik Auerswald
> <auerswal@unix-ag.uni-kl.de> wrote:
>> Hello Danushka,
>>
>> On Tue, Dec 01, 2015 at 03:29:33PM -0500, Danushka Menikkumbura wrote:
>>> Hi Erik,
>>>
>>> I am happy to look into the network namespace-based approach that you
>>> have mentioned but before that I tried to use DNAT on my Linux box but
>>> ended up having the following error.
>>>
>>> iptables v1.4.21: can't initialize iptables table `nat': Table does
>>> not exist (do you need to insmod?)
>>
>> That error message hints at a missing module. On my Ubuntu system with NAT
>> I have the following related modules loaded:
>>
>> iptable_nat
>> nf_nat
>> nf_conntrack_ipv4
>> nf_conntrack
>> nf_defrag_ipv4
>> iptable_filter
>> ip_tables
>> x_tables
>>
>>> Perhaps iptables or your kernel needs to be upgraded.
>>>
>>> Please note that I used a kernel source version (3.19.8-ckt5+) to
>>> compile and install iptables module using "menuconfig" (Networking
>>> support > Networking options > Network packet filtering framework
>>> (Netfilter) > IP: Netfilter Configuration > IP tables support
>>> (required for filtering/masq/NAT)).
>>>
>>> Could you shed some light on this please?
>>
>> If you are compiling your own kernel, be sure to include all features you
>> need. I'd advise to use distribution kernels unless you know how to
>> configure a kernel to fit your needs.
>>
>> Best regards,
>> Erik
>> --
>> I think of math as a splendid way to learn to think straight.
>>                         -- Bjarne Stroustrup