Using openvswitch to communicate between two different hosts on different machines

This blog is about understanding how one can leverage the linux network-namespaces to act as different machines to test network functionality. Main idea is to discuss about how one can communicate between two network-namespaces on two different hosts using openvswitch.

First, we will discuss about network namespaces. Network namespace is logically another copy of the machine’s network stack, which has its own routes, firewall rules, and network devices. To test the network functionality, instead of having a virtual machine with all the unnecessary features, one can use network-namespaces to quickly test different network environments. It is lightweight, allows you to run multiple namespaces on a single machine and is easy to manage.

 

 

Problem statement:-

Create a network topology as mentioned in below diagram where two different machines has network namespaces created and use openvswitch to communicate among the two namespaces.

 

Solution:-

To achieve this topology, we will first need two machines A and B which are connected to each-other using physical switch. You can also have two virtual machines connected using a virtual switch.

 

Next, create two network namespaces named h1 and h2 on the machines respectively.

ip netns add h1  (on machine A)
ip netns add h2  (on machine B)
ip netns list    (can be executed on both machines)

 

Now we have two namespaces created on the machine A and B.

 

 

Next, we will add an openvswitch on both the machines.

ovs-vsctl add-br s1     (on both the machines)
ovs-vsctl show

 

 

 

Next, we need to create two patch-cables and use them to connect openvswitch to network namespaces.

First one will be used to connect h1 namespace to bridge s1 and second one would be used to connect namespace h2 to bridge s1.

 

Creating patch-cables:-

ip link add h1-eth0 type veth peer name s1-eth1    (on machine A)
ip link add h2-eth0 type veth peer name s1-eth2    (on machine B)
ip link show

 

Adding one end of patch-cable to namespaces:-

ip link set h1-eth0 netns h1    (on machine A)
ip link set h2-eth0 netns h2    (on machine B)

 

Connecting the other end of patch-cable to openvswitch:-

ovs-vsctl add-port s1 s1-eth1     (on machine A)
ovs-vsctl add-port s1 s1-eth2     (on machine B)

 

Now, the setup is at state depicted in diagram below:-

 

Next, we need to assign ip-addresses to the network namespaces. This can be achieved by using the below commands:-

ip netns exec h1 ifconfig h1-eth0 10.0.0.1    (on machine A)
ip netns exec h2 ifconfig h2-eth0 10.0.0.2    (on machine B)

 

We can also add a controller for openvswitch. In this post, we are not going to use any controller for openvswitch. Here, the switch will behave like a normal hub.

 

We need to add an interface to openvswitch which is then connected to the physical port. For this, we are using eth1 of the machines to send and receive packets.

ifconfig eth1 0.0.0.0         (on both the machines)
ovs-vsctl add-port s1 eth1    (on both the machines)

 

Now, we have the setup similar to the one we had decided to create. You can communicate from network namespace h1 on machine A with network namespace h2 on machine B via eth1.

 

ip netns exec h1 ping 10.0.0.2   (on machine A)
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=4.98 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.990 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.104 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.375 ms

 

 

One can create various complex topologies using namespaces, can run multiple networks within a single machine and can test various complex scenarios.

 

I hope this post helps someone. Mininet is on example of custom wrapper program which uses these commands internally to create network-topologies as specified by the user.

 

Installing openflow-dissector-plugin for Wireshark in Ubuntu

First of all, you will need an ubuntu machine. On this machine, you need to install wireshark.

ubuntu$ sudo apt-get install wireshark

 

Run wireshark and goto Help -> About Wireshark -> Plugins

 

You won’t see any openflow plugin listed there. If you see any plugin named openflow*.so, this means you already have openflow plugin installed in your machine.

 

To build the dissector on your own, clone the openflow-dissector code. There are many repositories available online, but the below mentioned one worked for me in ubuntu14.04 without any errors. To clone it, first you need to install mercurial:-

ubuntu$ sudo apt-get install mercurial

Next, you need to download the code:-

ubuntu$ hg clone https://bitbucket.org/barnstorm/of-dissector
ubuntu$ cd of-dissector/src
ubuntu$ sudo apt-get install scons
ubuntu$ export WIRESHARK=/usr/include/wireshark/
ubuntu$ sudo scons install

The above step creates an openflow.so shared library. This file is copied automatically to /usr/include/wireshark. Openflow-dissector plugin gets loaded into wireshark when you start wireshark in user mode. However, if you try to start wireshark using root-user, you won’t see the plugin loaded. Hence, for that, you need to place the binary in the /usr/lib/wireshark location so that it can be loaded automatically irrespective of the user. Check the path on your machine. It could be different than the one listed below but it would be in directory /usr/lib/wireshark.

ubuntu$ sudo cp openflow.so /usr/lib/wireshark/libwireshark3/plugins/openflow.so

Now start your wireshark and check the plugins.

If you want to analyze and capture the openflow traffic, you need to have a switch <—> openflow-controller topology. If you don’t have any, you can easily create one using mininet.

ubuntu$ sudo apt-get install mininet

Once this is installed, you can create mininet’s default topology by using ‘mn’ command.

ubuntu$ sudo mn

For more details on this, refer to the link or mininet website:-
http://mininet.org/walkthrough/

Since both the controller and the switch are on the same host, the communication between the two happens on loopback interface. Hence, to capture the packets, you need to start wireshark and listen on loopback interface(lo). Here is the image of my PC where I captured the openflow packets.
Hope it helps somebody. 🙂

 

Port forwarding in Linux

Consider you have network setup as defined in below diagram:-

As depicted, one wants to access the web-server hosted on the internal network to be accessible from outside. For doing this, you need to enable port-forwarding on Gateway so that requests on particular port of Gateway are redirected to web-server on private network.

For doing this, you will need the package called “RINETD”. This is also possible using IP Table rules, but configuring them manually is a bit difficult, hence using this software for easy installation and configuration.

Install rinetd on your ubuntu host:-

root@ubuntu# apt-get install rinetd

Once installed, you need to enter the rules in /etc/rinetd.conf file. Rules are nothing but listing of port of gateway on which you will send the request and ip-address and port of internal network machine to which the request will be forwarded. General syntax for it is as follows:-

bindaddress     bindport     contactaddress      contactport

Here,

bindaddress = Address of Gateway

bindport = port on Gateway to which you will send the request

contactaddress = Address of VM/machine on internal network

contactport = port on internal network machine where the service is running

More configuration information can be found at the website:-

http://www.boutell.com/rinetd/

Once done, restart the rinetd service.

root@ubuntu# service rinetd restart

Now you will be able to access the webpages from public network by entering the ip-address of gateway followed by the port which is bound to the internal machine. Its syntax would be like:-

http://<bindaddress>:<bindport>

Similarly, you can forward other services like ssh using this method. You just need to remember which port you have used on the gateway and accordingly provide that request.