Skip to content

IPFlowRawSockets

Jump to bottom Edit New page
Tom Barbette edited this page Oct 3, 2018 · 2 revisions

IPFlowRawSockets Element Documentation

NAME

IPFlowRawSockets — Click element; creates separate sockets for each TCP/UDP flow

SYNOPSIS

IPFlowRawSockets([KEYWORDS])

Ports: 1 input, 1 output
Drivers: userlevel

DESCRIPTION

Sends and receives IP packets via raw sockets, one socket per flow. It distinguishes flows by their aggregate annotations. You usually will run IPFlowRawSockets downstream of an AggregateIPFlows element.

On some systems, packets larger than SNAPLEN will be truncated; default SNAPLEN is 2046 bytes.

On PlanetLab Linux, safe raw sockets are opened (http://www.planet-lab.org/raw_sockets/). Safe raw sockets bypass the kernel stack, so no additional firewalling is necessary.

On regular Linux, you will need to firewall the source ports that you expect IPFlowRawSockets to use so that the kernel does not attempt to answer for the raw connections that may be established by upstream elements. For example, in a NAPT configuration like that shown below, you might firewall TCP and UDP ports 50000-65535 with the iptables command, and then tell the kernel not to use ports 50000-65535 for local connections:

  iptables -A INPUT -p tcp --dport 50000:65535 -j DROP
  iptables -A INPUT -p udp --dport 50000:65535 -j DROP
  echo 32768 49999 > /proc/sys/net/ipv4/ip_local_port_range

Keyword arguments are:

  • NOTIFIER — The name of an AggregateNotifier element, like AggregateIPFlows. If given, then IPFlowRawSockets will ask the element for notification when flows are deleted. It uses that notification to free its state early. It's a very good idea to supply a NOTIFIER.

    An AggregateNotifier in the data path is mandatory anyway. See below for an example usage of this element.

  • SNAPLEN — Unsigned integer. Maximum receive packet length. This value represents the MRU of the IPFlowSocket. Packets larger than SNAPLEN will be truncated.

  • PCAP — Boolean. Whether to use libpcap for packet capture. Libpcap is unnecessary for capturing packets on PlanetLab Linux. Default is true.

  • HEADROOM — Unsigned Integer. Amount of headroom to reserve in packets created by this element. This could be useful for encapsulation protocols which add headers to the packet, and can avoid expensive push operations later in the packet's life.

NOTES

Only available in user-level processes.

EXAMPLES

The following snippet is the heart of a basic user-level NAPT configuration with an external address of 10.0.0.1 and an internal IP path represented by ip_from_intern and ip_to_intern.

  af :: AggregateIPFlows(TRACEINFO -)
 
  cp :: CheckPaint(0)
 
  IPRewriterPatterns(to_world_pat 10.0.0.1 50000-65535 - -)
 
  rw :: IPRewriter(
        pattern to_world_pat 0 1,
        drop
  )
 
  socket :: IPFlowRawSockets(NOTIFIER af)
 
  // Forward direction
  ip_from_intern -> af
  af -> cp
  cp[0] -> [0]rw
  rw[0] -> GetIPAddress -> CheckIPHeader -> socket
 
  // Reverse direction
  socket -> CheckIPHeader -> IPClassifier(tcp or udp) -> [1]rw
  rw[1] -> af
  cp[1] -> ip_to_intern

SEE ALSO

ToIPFlowDumps, AggregateIPFlows

Generated by click-elem2man from ../elements/userlevel/ipflowrawsockets.hh:31 on 2018/10/03.

Add a custom footer
Clone this wiki locally