Learning VPP: Internet access

logo_fdio-300x184

Overview

The goal is to provide internet access for a network namespace through VPP.

To achieve this we can set up routing and NAT. Besides, we can use the ARP proxy feature of VPP.

Build and run

First, build and run VPP as described in a previous post.

make run STARTUP_CONF=startup.conf

Setup

To set up network namespace, routing, NAT, and ARP proxy run the following script.


#!/bin/bash
PATH=$PATH:./build-root/build-vpp-native/vpp/bin/
if [ $USER != "root" ] ; then
echo "Restarting script with sudo…"
sudo $0 ${*}
exit
fi
# delete previous incarnations if they exist
ip link del dev vpp1
ip link del dev vpp2
ip netns del vpp1
#create namespaces
ip netns add vpp1
# create and configure 1st veth pair
ip link add name veth_vpp1 type veth peer name vpp1
ip link set dev vpp1 up
ip link set dev veth_vpp1 up netns vpp1
ip netns exec vpp1 \
bash -c "
ip link set dev lo up
ip addr add 172.16.1.2/24 dev veth_vpp1
ip route add 172.16.2.0/24 via 172.16.1.1
ip route add default via 172.16.1.1
"
# create and configure 2nd veth pair
ip link add name veth_vpp2 type veth peer name vpp2
ip link set dev vpp2 up
ip addr add 172.16.2.2/24 dev veth_vpp2
ip link set dev veth_vpp2 up
ip route add 172.16.1.0/24 via 172.16.2.2
# configure VPP
vppctl create host-interface name vpp1
vppctl create host-interface name vpp2
vppctl set int state host-vpp1 up
vppctl set int state host-vpp2 up
vppctl set int ip address host-vpp1 172.16.1.1/24
vppctl set int ip address host-vpp2 172.16.2.1/24
vppctl ip route add 172.16.1.0/24 via 172.16.1.1 host-vpp1
vppctl ip route add 172.16.2.0/24 via 172.16.2.1 host-vpp2
vppctl ip route add 0.0.0.0/0 via 172.16.2.2 host-vpp2
vppctl set interface proxy-arp host-vpp2 enable
vppctl set ip arp proxy 172.16.1.1 – 172.16.1.2
# Enable IP-forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Flush forward rules.
iptables -P FORWARD DROP
iptables -F FORWARD
# Flush nat rules.
iptables -t nat -F
# Enable NAT masquerading
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o veth_vpp2 -j ACCEPT
iptables -A FORWARD -o wlan0 -i veth_vpp2 -j ACCEPT

Results

Now we can access the internet from vpp1 network namespace.

sudo ip netns exec vpp1 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=73.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=139 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=35.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=115 time=36.6 ms

Also, VPP itself has access to the internet.

DBGvpp# ping 8.8.8.8
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=53.7913 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=35.3645 ms
Aborted due to a keypress.

Statistics: 2 sent, 2 received, 0% packet loss

Now we can access google web site.

sudo ip netns exec vpp1 curl www.google.com

And trace HTTP packets inside VPP.

DBGvpp# trace add af-packet-input 1000
DBGvpp# show trace
...
Packet 37

00:18:08:629788: af-packet-input
af_packet: hw_if_index 1 next-index 4
tpacket2_hdr:
status 0x9 len 54 snaplen 54 mac 66 net 80
sec 0x5b7e7b58 nsec 0x157af968 vlan 0 vlan_tpid 0
00:18:08:629839: ethernet-input
IP4: 6e:25:1b:a7:11:05 -> 02:fe:13:61:29:4b
00:18:08:629865: ip4-input
TCP: 172.16.1.2 -> 173.194.221.103
tos 0x00, ttl 64, length 40, checksum 0xd927
fragment id 0x296c, flags DONT_FRAGMENT
TCP: 51480 -> 80
seq. 0xeec90cb7 ack 0x5287d28f
flags 0x10 ACK, tcp header: 20 bytes
window 457, checksum 0x0000
00:18:08:629889: ip4-lookup
fib 0 dpo-idx 4 flow hash: 0x00000000
TCP: 172.16.1.2 -> 173.194.221.103
tos 0x00, ttl 64, length 40, checksum 0xd927
fragment id 0x296c, flags DONT_FRAGMENT
TCP: 51480 -> 80
seq. 0xeec90cb7 ack 0x5287d28f
flags 0x10 ACK, tcp header: 20 bytes
window 457, checksum 0x0000
00:18:08:629913: ip4-rewrite
tx_sw_if_index 2 dpo-idx 4 : ipv4 via 172.16.2.2 host-vpp2: mtu:9000 a60ae99593be02fe094ec8700800 flow hash: 0x00000000
00000000: a60ae99593be02fe094ec870080045000028296c40003f06da27ac100102adc2
00000020: dd67c9180050eec90cb75287d28f501001c900000000000000000000
00:18:08:629940: host-vpp2-output
host-vpp2
IP4: 02:fe:09:4e:c8:70 -> a6:0a:e9:95:93:be
TCP: 172.16.1.2 -> 173.194.221.103
tos 0x00, ttl 63, length 40, checksum 0xda27
fragment id 0x296c, flags DONT_FRAGMENT
TCP: 51480 -> 80
seq. 0xeec90cb7 ack 0x5287d28f
flags 0x10 ACK, tcp header: 20 bytes
window 457, checksum 0x0000

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s