-
Notifications
You must be signed in to change notification settings - Fork 322
IPFlowRawSockets
IPFlowRawSockets — Click element; creates separate sockets for each TCP/UDP flow
IPFlowRawSockets([KEYWORDS])
Ports: 1 input, 1 output
Drivers: userlevel
Sends and receives IP packets via raw sockets, one socket per flow. It distinguishes flows by their aggregate annotations. You usually will run IPFlowRawSockets downstream of an AggregateIPFlows element.
On some systems, packets larger than SNAPLEN will be truncated; default SNAPLEN is 2046 bytes.
On PlanetLab Linux, safe raw sockets are opened (http://www.planet-lab.org/raw_sockets/). Safe raw sockets bypass the kernel stack, so no additional firewalling is necessary.
On regular Linux, you will need to firewall the source ports that you expect IPFlowRawSockets to use so that the kernel does not attempt to answer for the raw connections that may be established by upstream elements. For example, in a NAPT configuration like that shown below, you might firewall TCP and UDP ports 50000-65535 with the iptables command, and then tell the kernel not to use ports 50000-65535 for local connections:
iptables -A INPUT -p tcp --dport 50000:65535 -j DROP
iptables -A INPUT -p udp --dport 50000:65535 -j DROP
echo 32768 49999 > /proc/sys/net/ipv4/ip_local_port_range
Keyword arguments are:
-
NOTIFIER — The name of an AggregateNotifier element, like AggregateIPFlows. If given, then IPFlowRawSockets will ask the element for notification when flows are deleted. It uses that notification to free its state early. It's a very good idea to supply a NOTIFIER.
An AggregateNotifier in the data path is mandatory anyway. See below for an example usage of this element.
-
SNAPLEN — Unsigned integer. Maximum receive packet length. This value represents the MRU of the IPFlowSocket. Packets larger than SNAPLEN will be truncated.
-
PCAP — Boolean. Whether to use libpcap for packet capture. Libpcap is unnecessary for capturing packets on PlanetLab Linux. Default is true.
-
HEADROOM — Unsigned Integer. Amount of headroom to reserve in packets created by this element. This could be useful for encapsulation protocols which add headers to the packet, and can avoid expensive push operations later in the packet's life.
Only available in user-level processes.
The following snippet is the heart of a basic user-level NAPT configuration with an external address of 10.0.0.1 and an internal IP path represented by ip_from_intern and ip_to_intern.
af :: AggregateIPFlows(TRACEINFO -)
cp :: CheckPaint(0)
IPRewriterPatterns(to_world_pat 10.0.0.1 50000-65535 - -)
rw :: IPRewriter(
pattern to_world_pat 0 1,
drop
)
socket :: IPFlowRawSockets(NOTIFIER af)
// Forward direction
ip_from_intern -> af
af -> cp
cp[0] -> [0]rw
rw[0] -> GetIPAddress -> CheckIPHeader -> socket
// Reverse direction
socket -> CheckIPHeader -> IPClassifier(tcp or udp) -> [1]rw
rw[1] -> af
cp[1] -> ip_to_intern
ToIPFlowDumps, AggregateIPFlows
Generated by click-elem2man from ../elements/userlevel/ipflowrawsockets.hh:31
on 2017/10/17.