Beruflich Dokumente
Kultur Dokumente
Manual
2004/07/23
1.Introduction.............................................................................. 3
4.CM_LINUX............................................................................... 5
4.1. Network interfaces ............................................................. 5
4.2. Device node addition........................................................... 7
7. Debugging............................................................................. 31
1. Introduction
This document describes a system based on MontaVista’s Linux for the MB86977
developed by MontaVista Software Inc.
CAMELOTD
User
Stack
NETFILTER
Kernel
Routing
Driver
CAMELOT
HardWare
Network
4. CM_LINUX
Normally a driver is developed for new hardware when adding it to the Linux kernel,
however for Camelot, we must revise the netfilter and also add netlink functionality, (of
which the details we shall not dwelve into here), and also alter other things which shall
be explained below.
root@192.168.1.1:/usr# ifconfig -a
cm0 Link encap:Ethernet HWaddr 00:90:99:18:72:9C
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25064 errors:0 dropped:0 overruns:0 frame:0
TX packets:17251 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:15248179 (14.5 Mb) TX bytes:2568011 (2.4 Mb)
The LAN interface.
cm1 Link encap:Ethernet HWaddr 00:90:99:18:72:9C
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2654 errors:0 dropped:0 overruns:0 frame:0
TX packets:1536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:246371 (240.5 Kb) TX bytes:180680 (176.4 Kb)
The DMZ interfaces. This interface shall be displayed regardless of whether it is in use
or not.
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
………
# Tag Timeout Period Poll Period
# (sec) (sec)
CT 50 20
The timeout and polling interval.
Debug levels. The default is 1.
DBG_PANIC = 0
DBG_WARN =1
DBG_INFO = 2
DBG_LOW =3
DBG_LOWER = 4
DBG_LOWEST= 5
Be sure to assign a debug log file when using any debug level other than 0. If the debug
level is larger than 2, allocate more memory for the socket receive buffer as shown
below.
The status of Camelot can be monitored via the network by telnet from a different
machine after the camelotd daemon is started.
LAN WAN
PC Camelot router
192.168.1.10 192.168.1.1
The above shows a successful telnet attempt (the prompt will not return). Commands
may be entered such as the following.
L2 Table:
Lkup Control Register: DMZ Mode Enabled, No Match Bits: 7
Entry 1: mac 00909918729c intf host STAT WAN DMZ
Entry 2: mac ffffffffffff intf host STAT WAN DMZ
Entry 3: mac 0002b3ecf0db intf LAN0 DYN
Entry 4: mac 0090991878b3 intf LAN1 DYN
The L2 MAC Address Table.
QOS:
0: DMZ ctl 0x000000c5 IPv4 sa 192.168.2.10 da 216.136.204.117 sp 0000 dp 0000 tos
0000 fl 0000
0: WAN ctl 0x000000c5 IPv4 sa 216.136.204.117 da 218.43.19.231 sp 0000 dp 0000 tos
0000 fl 0000
The QoS Table. This table will be advertized only after the machines stated in the
camelotd.cfg have started communication.
NAT/IPF:
0: i 192.168.1.30 e 216.136.204.117 n 218.43.19.231 ip 8017 ep 0050 np 8017
id 0001 ed 0010 ctrl 00311001
lma 0002b3ecf0db wma 00057454bc06
1: i 192.168.1.30 e 216.136.204.117 n 218.43.19.231 ip 8018 ep 0051 np 8018
id 0001 ed 0010 ctrl 00311001
lma 0002b3ecf0db wma 00057454bc06
2: i 192.168.2.10 e 216.136.204.117 n 218.43.19.231 ip 9000 ep 0052 np 9000
id 0008 ed 0020 ctrl 00312001
lma 0002b3e380aa wma 00057454bc06
There are three entries in the NAT table (Entry number 2 is in sync with the QoS table)
FILTER: filter mode/mask: 0x00000000 / 0x00000000
The Filter mode and the subnet mask.
filters in-ip
0: s 0.0.0.0 d 0.0.0.0 dp ffff:0000 sp ffff:0000
protocol value is 1245235 (0x130033)
TCP,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,ipv4,entry
_valid
log,pass,ack_fg_en_0,wan,
1: s 0.0.0.0 d 0.0.0.0 dp 0000:0000 sp 0000:0000
protocol value is 4390967 (0x430037)
ICMP,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,icmp_do
nt_care,ipv4,entry_valid
log,pass,wan,
2: s 0.0.0.0 d 0.0.0.0 dp ffff:0000 sp 0035:0035
protocol value is 2490419 (0x260033)
UDP,L4_src_range,L4_dont_care_dst,v4_dont_care_dst,v4_dont_care_src,ipv4,entry_va
lid
log,pass,ack_fg_en_1,wan,
3: s 0.0.0.0 d 0.0.0.0 dp 0000:0000 sp 0000:0000
protocol value is 196659 (0x30033)
DONTCARE,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,ip
v4,entry_valid
log,drop,wan,
There are four entries in the L3/L4 in-side filter table.
filters in-protocol:
Nothing is registered in the protocol type in-side filter table.
filters out-ip:
Nothing is registered in the L3/L4 in-side filter table.
filters output-protocol:
Nothing is registered in the protocol type out-side filter table.
filter counts, in :
[0]=15860 [1]=3 [2]=332 [3]=679
The total number of packets that matched the in-side filter is displayed.
filter counts, out:
Since there are no entries in the out-side filter, nothing is displayed.
Filter log:
status 0000000e
This displays whether there is a log of the packet that has matched the filter. (This will
be displayed only once since the log will be read-cleared)
log input
#2: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74,
#3: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74,
#4: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74,
The contents of the packet that has matched an in-side filter entry.
log output
Nothing is displayed since there are no entries in the out-side filter table.
PPPoE
0: sess id f22b code 00 type 1 version 1
The header information is displayed if a PPPoE connection has been established.
The show command is used to display the internal information of Camelotd and can be
seen in the following example (the information is in red, comments are in blue)
State dump:
Interfaces:
wan0 0.0.0.0/0.0.0.0 00:90:99:18:72:9c
pppoe 218.43.19.231/255.255.255.255
using PPPOE-WAN mode, sid 0000f22b
cm0 192.168.1.1/255.255.255.0 00:90:99:18:72:9c
cm1 192.168.2.1/255.255.255.248 00:90:99:18:72:9c
cm2 0.0.0.0/0.0.0.0 00:00:00:00:00:00
The names, addresses, subnet masks, and MAC address of each of Camelot router
network interface.
Neighbor table:
192.168.2.3 00:90:99:18:99:9c
192.168.2.4 00:90:99:18:8c:6e
192.168.2.2 00:e0:00:34:d9:20
192.168.1.20 00:90:99:18:78:b3
219.160.1.113 00:05:74:54:bc:06
192.168.1.30 00:02:b3:ec:f0:db
The MAC and IP Addresses of neighboring machines.
Internal QOS Table:
1: IPv4 211.129.14.134:0035 -> 192.168.2.2:0000 0 0 (0 refs)
The machine to be prioritized defined in camelotd.cfg
Connection track table:
protocol 17
orig: proto 17 192.168.2.2:1624 -> 192.168.2.1:53
reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1624
protocol 17
orig: proto 17 192.168.2.2:1623 -> 192.168.2.1:53
reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1623
protocol 17
orig: proto 17 192.168.2.2:1622 -> 192.168.2.1:53
reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1622
protocol 17
orig: proto 17 192.168.2.2:1621 -> 192.168.2.1:53
reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1621
protocol 17
orig: proto 17 192.168.2.2:1620 -> 192.168.2.1:53
reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1620
protocol 17
orig: proto 17 192.168.2.2:1619 -> 192.168.2.1:53
reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1619
The information of all managed connections. There are six such connections here. Each
entry shows the protocol type, the Source IP Address of the orig and reply address :
Source Port number -> Destination IP Address : Destination Port number.
Filter (ip_tables) table:
name 'nat'
This will be displayed only when the NAT function has been started by the iptables
command.
name 'filter'
This will be displayed only when the packet filter function has been started by the
iptables command.
Chip matches:
01
This shows whether there is a packet using a connection registered in Camelot’s tables.
The entry number such connection will be displayed.
Use the matches command when you want to display only the “Chip matches” of the
show command.
Chip matches:
01
5.3. User mode and Kernel mode
When the camelotd is in user-mode, the CM_LINUX will switch between user and
kernel context numerous times until the netfilter has completed establishing a
connection and registered it to Camelot. This occurs since camelotd and netlink
communicate information via netlink and this can become quite a burden on the system.
Under extreme conditions (such as when connections are continuously
registered/deleted from all 128 entries), the entries may not be registered/deleted fast
enough. In such cases, we recommend you to use kernel mode. This will eliminate
switching between the user and kernel contexts, and only information will be signaled
to Camelotd. This will unload the system from load considerably, and will allow it to
operate under extreme conditions.
6.1. NAT
Start camelotd under user-mode, and set CM_LINUX to the NAT mode.
For TCP connections, after a syn packet has been forwarded, and the corresponding ack
packet has been received, the netfilter will acknowledge that the connection has been
established. This is signaled to camelotd, and camelotd will gather the necessary
information (such as MAC Addresses) and issue a ioctl system call to register the
connection to the Camelot device driver. The Device driver will register the information
to Camelot’s hardware, and any following packets that match this entry will be routed
by Camelot (1).
For UDP connections, a connection will be considered to be established when packets
with matching port number fields have been received from opposite directions ( of
course the source and destination port fields will be reversed for packets in opposite
directions). The rest is the same as how a TCP connection is handled.
When a packet indicating the closing of a connection (such as FIN or RST) has been
received, an interrupt will be asserted by Camelot and signaled to the CM_LINUX. The
CM_LINUX will acknowledge this interrupt and signal a connection closing to camelotd,
and camelotd will issue a connection deletion command to the Camelot device driver via
an ioctl system call. The device driver will delete the corresponding entry from
Camelot’s table. (2)
In the case that an entry cannot be deleted by the normal procedure described above
(such as when the sequence of a TCP connection has corrupted, or for UDP connections),
the camelotd daemon has a timeout function that will periodically monitor the
connections. There are no restrictions to the timeout period, and can be set in the
Camelotd.cfg file.
Next we shall explain the difference between kernel mode and user mode. The
differences are the in the texts in green above(1,2,3), and is as following.
(1) For TCP connections, when a syn packet has been forwarded, and the corresponding
ack packet has been received, the netfilter will acknowledge that the connection has
been established. Netfilter will gather the necessary information (such as MAC
Addresses) and execute the device driver so it will register the information to Camelot’s
hardware, causing any following packets that match this entry to be routed by Camelot.
(2) When a packet indicating the closing of a connection (such as FIN or RST) has been
received, an interrupt will be asserted by Camelot and signaled to the CM_LINUX. The
CM_LINUX will acknowledge this and cause the Camelot device driver to delete the
corresponding entry from Camelot’s table. Then camelotd is informed that the
connection has been deleted.
The only differences between kernel and user mode have been explained above.
Therefore, from here on we shall describe only user mode.
6.2. IP Forwarding
Camelotd is started, and CM_LINUX is set to IP Forwarding mode. The basic operation
is the same as NAT except for the fact that the port number will be “don’t care”. Stated
differently, since IP forwarding is based solely on the Addresses, once the entry has been
registered, packets will be forwarded regardless of their port number. There are no
packet monitoring functions that will delete connections. In principle, connections can
only be deleted by timeout functions.
The following is an example of a Camelot NAT setup. (Here we are using ppp-2.4.1, and
kernel mode rp-pppoe-3.5 by Roaring Penguin Software)
root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 &
root@192.168.1.1:/usr# echo -n "1" >/proc/sys/net/ipv4/ip_forward
root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0
root@192.168.1.1:/usr# iptables -t filter -F INPUT
root@192.168.1.1:/usr# iptables -t filter -F OUTPUT
root@192.168.1.1:/usr# iptables -t filter -F FORWARD
root@192.168.1.1:/usr# iptables -t nat -F PREROUTING
root@192.168.1.1:/usr# iptables -t nat -F OUTPUT
root@192.168.1.1:/usr# iptables -t nat -F POSTROUTING
root@192.168.1.1:/usr# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
root@192.168.1.1:/usr# iptables -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
(may be -set-mss 1412 instead of --clamp-mss-to-pmtu)
root@192.168.1.1:/usr# iptables -A FORWARD -i ppp0 -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
root@192.168.1.1:/usr# adsl-start
….connected!
6.4. The Filter
The filters are set by iptables. iptables may be used as it is normally used, and the
values will be set to both CM_LINUX and Camelot. However, since Camelot can not
support all settings by iptables, here we shall explain the differences between Camelot
and Linux’s filter.
The INPUT in iptables will be mapped to the “in-side” as defined by Camelot, and
FORWARD and OUTPUT will be mapped to the “out-side”.
Camelot supports only one subnet mask for all entries.
Camelot has 64 in-side and out-side entries.
The following are four examples of how the filter is set and how the results are shown by
the dump command. (comments are in blue)
The following is an example of how the counters are used. Telnet to the Camelot router
from a monitoring PC.
[Camelot router]
root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 &
root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0
[monitoring PC]
Prompt>telnet 192.168.1.1 12345
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
dump
……
filter counts, in :
[0]=15860 [1]=3 [2]=332 [3]=679
……
This indicates that 15860, 332, 679 packets have matched entries 0, 1, 2, 3 respectively.
6.6. The Filter log
The log of the first four packets filtered by Camelot can be displayed
The following is an example of how the logs can be retreived. Telnet to the Camelot
router from a monitoring PC.
[Camelot router]
root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 &
root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0
[Monitoring PC]
Prompt>telnet 192.168.1.1 12345
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
dump
……
log input
#2: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74,
#3: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74,
#4: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74,
……
Log 2 indicates that there is a packet that matched entry 3 of the L3/4 filter, and that
that packet was received from the WAN interface, and the packet length was 74 bytes.
The Logs 3 and 4 also indicate identical status.
6.7. DMZ
The LAN2 port can be placed in a different segment from the LAN0 and LAN1 ports,
and may be used as a DMZ port. The interface name of the DMZ port is cm1.
192.168.1.1 1.1.1.1
LAN WAN
LAN PC Camelot router WAN PC
192.168.1.10 1.1.1.10
DMZ
192.168.2.1
192.168.2.10
DMZ PC
192.168.1.1 1.1.1.1
LAN WAN
LAN PC Camelot router WAN PC
192.168.1.10 1.1.1.10
DMZ
192.168.2.1
192.168.2.10
DMZ PC
root@192.168.1.1:/usr# vi camelotd.cfg
……
# Tag IPv WAN IP WAN DMZ IP DMZ TOS/TC Flow
# (4/6) Port Port Label
QOS 4 1.1.1.10 0 192.168.2.10 0 0 0
……
:wq
root@192.168.1.1:/usr# camelotd –Z –c camelotd.cfg –D0 &
root@192.168.1.1:/usr# echo -n "1" >/proc/sys/net/ipv4/ip_forward
root@192.168.1.1:/usr# ifconfig wan0 1.1.1.1 netmask 255.255.255.0
root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0
root@192.168.1.1:/usr# ifconfig cm1 192.168.2.1 netmask 255.255.255.0
root@192.168.1.1:/usr# iptables -t filter -F INPUT
root@192.168.1.1:/usr# iptables -t filter -F OUTPUT
root@192.168.1.1:/usr# iptables -t filter -F FORWARD
root@192.168.1.1:/usr# iptables -t nat -F PREROUTING
root@192.168.1.1:/usr# iptables -t nat -F OUTPUT
root@192.168.1.1:/usr# iptables -t nat -F POSTROUTING
UDP Packets with source port number 10000, destination port number 20000 from the
host at the DMZ port and source port number 20000, destination port number 10000
from the host at the WAN port will be prioritized.
7. Debugging
The debug log will be stored in a file, and is not displayed on the serial window. (This is
due to the fact that the serial terminal can only display a limited amount of
information.) The debug level and trace level should be assigned when the Camelotd
daemon is started.