Network Namespaces In Linux Kernel

 

Introduction

Each kernel network namespace has its own network devices (even the loopback interface), IP addresses, firewall rules, the “/proc/net” and /sys/class/net directory trees, sockets, IP routing tables, port numbers,…etc

indexclone() is a system call used to create a child process. If the CLONE_NEWNET flag is set, then the child process will be created in a new network namespace. Execute system(“ip link”) and system(“ip netns”) in the child process and in the parent to see the difference.

unshare() system call which creates a new namespace and adds the current process to it.

setns() system call is used to join an existing namespace.

You can define a virtual network device (veth) in the namespace and you can create a tunnel between two virtual network devices from different namespaces. The implementation of this is like creating a pipe. To connect the namespace to the internet, a bridge need to be created in the root namespace and the virtual device (veth) in the child namespace will be linked/bounded to the bridge. The physical network device can be assigned only to the root namespace. Instead of creating a bridge, you can use IP forwarding with NAT rules in the root namespace.

The namespace is addresses by it name or by PID of a process inside the namespace.

If a service in a namespace has been infected, this will not affect other services in other namespaces. This is due to the isolation property.

Add New Network Namespace

We can use the “ip” networking configuration tool to play with namespaces.  The namespace can persist even if it has not processes running in it. To add new empty namespace:

# ip netns add BinanNameSpace

“BinanNameSpace” is the name of the new created namespace. A bind mount is created for “BinanNameSpace” under “/var/run/netns”.

Get The Current Namespaces

To get the current namespaces, execute: “ip netns” or “ls /var/run/netns

BinanNameSpace
qdhcp-ae4d3669-d1ab-4133-8ea6-059611dc524e
qrouter-f96c719a-56e9-4b52-b2cb-da326fc1a429

List The Interfaces In The Namespace

To list the interfaces inside the namespace, execute:

# ip netns exec BinanNameSpace ip link list

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Note we have only loopback interface and it is down so we cannot ping it:

# ip netns exec BinanNameSpace ping 127.0.0.1

connect: Network is unreachable

To make the loopback interface up: # ip netns exec BinanNameSpace ip link set dev lo up

# ip netns exec BinanNameSpace ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.035 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.034 ms
^C
— 127.0.0.1 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.034/0.037/0.044/0.008 ms

Create Virtual Network Device In The Namespace

To create a virtual network device (veth1) in the “BinanNamespace” and make it as a peer to veth0 in the root namespace:

# ip link add veth0 type veth peer name veth1

# ip link set veth1 netns BinanNameSpace

Set IP addresses To The Virtual Network Devices

For the veth0 in the root namespace: # ifconfig veth0 11.0.0.2/24 up

For the veth1 in the “BinanNameSpace”: # ip netns exec BinanNameSpace ifconfig veth1 11.0.0.1/24 up

Now to check the interface veth0:

# ifconfig veth0

veth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 11.0.0.2  netmask 255.255.255.0  broadcast 11.0.0.255
…..

To check the interface eth1:

# ip netns exec BinanNameSpace ifconfig veth1
veth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 11.0.0.1  netmask 255.255.255.0  broadcast 11.0.0.255
……

Connection Test

To test the connection between the root namespace and “BinanNameSpace”, we ping in both direction:

From the root(veth0: 11.0.0.2) to BinanNameSpace(veth1:11.0.0.1):

# ping 11.0.0.1
PING 11.0.0.1 (11.0.0.1) 56(84) bytes of data.
64 bytes from 11.0.0.1: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from 11.0.0.1: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 11.0.0.1: icmp_seq=3 ttl=64 time=0.044 ms
^C
— 11.0.0.1 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.036/0.040/0.044/0.008 ms

From BinanNameSpace (veth1:11.0.0.1) to the root namespace (veth0: 11.0.0.2):

# ip netns exec BinanNameSpace ping 11.0.0.2

PING 11.0.0.2 (11.0.0.2) 56(84) bytes of data.
64 bytes from 11.0.0.2: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from 11.0.0.2: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from 11.0.0.2: icmp_seq=3 ttl=64 time=0.038 ms
^C
— 11.0.0.2 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.034/0.038/0.042/0.003 ms

Delete A Namespace

To delete the namespace, execute: # ip netns delete BinanNameSpace


 More Information


Advertisements

Regular Expressions For SIP Trunk

.

Introduction

The regular expression is a sequence of characters that form a search pattern. See the definition in Wikipedia. It is a huge topic and takes a lot of time to explain. If you didn’t use it, you will get stuck in a nested “If” statements situation. Using regular expressions means professionalism. I am assuming you know about it and i will just apply it to SIP.

.

Regular Expressions For a SIP Trunk

Usually when a SIP router receives a SIP request which is addressed to a PSTN gateway (i.e. Its Request-URI contains a telephone number), it checks which group the requested user (called party) belongs to. The router also must check if the caller has permission to make this call. So the check can be done on the caller and calle. Any check done by the router is translated into this simple thinking logic:

If (Routing Condition){

  Do Specific Work

}

This can be in the router’s routing script or internally integrated in the router’s application.

Example

If (The Call Is Addressed To A Local Number){

Do Specific Work

}

In OpenSIPS SIP router, the previous condition can be treated in the routing scripts in two ways:

  • Using the Script Variables (e.g. the reference to the request’s uri ($ru)) with the regular expression directly:

If ($ru=~sip:[2-9][0-9]{6}@){

}

The previous regular expression is for any 7 numbers starting by one digit from the range [2-9].

  • Using a function like “pcre_match” in “Regex” module which matches the given string against a given regular expression. The return value is TRUE if it is matched, FALSE otherwise:

If (pcre_match(“$ru”,sip:[2-9][0-9]{6}@){

}

The variable “$ru” is read/write variable so be aware where in the script you are checking its value. You can use “$ou” which is a reference to the request’s original URI. The module “Regex” is based on the library “PCRE” which is an implementation of regular expression pattern matching where the regular expression parameter will be compiled in PCRE object. So the development libraries of “PCRE” must be installed (“libpcre-dev” or “pcre-devel”).

Note: Use “&&” if you want to concatenate multiple conditions in one “if” statement.

If ((Routing Condition-1) && (Routing Condition-2)){

  Do Specific Work

}

Examples of Regular Expressions For SIP Trunk

You should test your regular expression before using it to know if you have constructed it correctly. There are many online free services that you can use to do your tests. Use search engines to search for syntax symbols that you can use to construct the regular expression. The following are examples. Note that each one defines a group:

  • Any user on any domain/IP: sip:(.*)@(.*)
  • Any user on certain domain: sip:(.*)@mydomain.com
  • Any user on certain IP (198.18.250.10):  sip:(.*)@198\.18\.250\.10 In regular expression, the “.” is interpreted as “any character” symbol whereas “\.” is just a period (dot).
  • Any user on IP Range (198.18.250.0 – 198.18.250.255): sip:(.*)@198\.18\.250.* The symbol “*” is quantifier which means the preceding character is found 0 or more times. Here i left the last part of IP to be anything but you can restrict it.
  • To group a set of SIP URIs that are within a certain domain or certain subdomain, use .*mydomain\.com.* For example these URIs will be matched: sip:mydomain.com:5060;transport=tcp, and sips:test.mydomain.com:5061 SIP/2.0
  • To group a set of SIP URIs that have certain string in the username part of URI and the ports 5060 and 5061 are accepted, use the regular expression .*group1@198\.18\.250.\10:506<01>.* For example these two URIs will be matched sip:serv1group1@198.18.250.10:5060;transport=tcp and sips:serv2group1@198.18.250.10:5061;tranport=tcp
  • 8-digit number on any domain: sip:[0-9]{8}@(.*) The [0-9] is a range for one number between 0 and 9 and {8} means repeat the preceding number 8 times.
  • 8-digit number starting optionally by 8 on any domain: sip:8?[0-9]{7}@(.*)  The symbol “?” means the repetition is 0 or 1 to the preceding. For example sip:80986853@mydomain.com, sip:0986853@mydomain.com, 1234567@mydomain.com, and so on.
  • 4-digit number (could be an extension number) starting by 6 on a certain domain: sip:6[0-9]{3}@(.*)
  • 4-digit number which is not starting by 55 on any domain: sip:(?!55)[0-9]{4}@(.*)

 More Information


DNS mapping of E.164 numbers to a list of URIs and IP Addresses

.

The Domain Name System (DNS) can be used to store the telephone numbers in E.164 format and identify the corresponding service. The domain “e164.arpa” is populated to make the DNS able to store the E.164 numbers. This domain is divided in subdomains so you should contact the corresponding zone administrator in order to list your E.164 number.

Explanation by Example

The DNS client string is “+441632910011” . It is a telephone number in E.164 format and we want to get the information about the service associated with this number (Service Type, Transport Protocol, Port number, IP Address). The DNS client which performs the look up operations, can be part of any kind of network servers .The corresponding domain name for that number will be “1.1.0.0.1.9.2.3.6.1.4.4.e164.arpa.”. The figure below shows the steps to get the IP address of the server which provides the service and some information about the service. We will explain this below.


Step 1: Getting SIP URI as a Result of First DNS Look Up Operation

The DNS client performs the first DNS lookup on the domain name “3.8.0.0.6.9.2.3.6.1.4.4.e164.arpa”. The output are two NAPTR records:

$ORIGIN 1.1.0.0.1.9.2.3.6.1.4.4.e164.arpa.

NAPTR 10 100u” “E2U+sip” “!^.*$!sip:info@example.com!.             # Record Number 1

NAPTR 10 101 “u” “E2U+h323” “!^.*$!h323:info@example.com!” .       # Record Number 2

Here we have two records associated with that name. The fields in each record are: order, preference, flags, service, regular expression, and replacement.The “order” specifies the processing order of the NAPTR records. The “preference” specifies the processing order of the NAPTR records that have same order value. Here both records have an “order” value of 10 but the first one has the lowest “preference” value. So the DNS client will pickup the first record.

The “u” flag means that the output will be a URI. The service name in the selected record is “E2U+sip” and it means the record is used in Telephone Number-to-SIP URI queries.

The regular expression “!^.*$!sip:info@example.com!”  takes this form: “Delimit ERE Delimit Substitution Delimit Flag”.

Delimit = !

ERE (Extended Reqular Expression ) = ^.*$ which means everything from the beginning of the user string till the end.

Delimit=!

Substitution=sip:info@example.com

Delimit=!

and No flags.

The replacement field in the NAPTR record if not present must be indicated by dot (.). if the replacement field is present then the reqular expresion field should be an empty string (“”). The replacement field if present must be a FQDN. So when DNS Client pickup the first record, the result of the first step will be the SIP URI sip:info@example.comThe pattern provided in the regular expression filed is used. As we see here, we get SIP URI from E.164 telephone number. We can stop here if that is what we want.   Note: You can use “Dig” in linux terminal to perform a DNS  lookup: # dig -t naptr  1.1.0.0.1.9.2.3.6.1.4.4.e164.arpa.


Step 2: Getting the service’s FQDN (Include Service type + Transport Protocol)

Now the DNS client string is “sip:info@example.com” .The client performs a second  DNS lookup on the domain name “example.com. The output are two NAPTR records:

$ORIGIN example.com.
IN NAPTR 100 10 “S” “SIP+D2U” “!^.*$!sip:info@example.com!” _sip._udp.example.com.
IN NAPTR 102 10 “S” “SIP+D2T” “!^.*$!sip:info@example.com!” _sip._tcp.example.com.

Here the replacement field is present and the regular expression is also present (i.e. the regular expression should be empty but this is not mandatory). The flag “S” means the replacement field contains a FQDN which points to SRV record. The DNS client picks the first record because it has the lowest order value. The replacement is applied and the result will be ” _sip._udp.example.com“. The service is SIP  and the transport protocol is UDP.


Step 3: Getting Server’s FQDN and Listening Port Number

Now the DNS client string is “ _sip._udp.example.com“. The client performs the third look up on “_sip._udp.example.com and it gets the SRV records. This record takes this form  “_Service._Protocol.Name TTL Class SRV Priority Weight Port Target”

The record in this example:

 _sip._udp.example.com 86400 IN SRV 0 5 5060 sipserver.example.com

Service: The service name is sip,

Protocol: The transport protocol is UDP,

Name : The domain name is example.com,

TTL: Time to live is in seconds is 86400

Class: The  DNS class is IN

Priority: the priority of the Target is 0.

Weight: The relative weight of this record is 5.

Port: 5060,

Target: The hostname of machine which provides the service. sipserver.example.com

The result of this step is the FQDN “sipserver.example.com” which represents SIP server listening on port 5060.


Step 4: Getting the IP Address

The client prforms DNS look up on “sipserver.example.com . The output is A record which contains the IP Address.

Summary

Using Domain Name System (DNS) we can get the service information (Mainly the Service Type, Transport Protocol, Port number, and  IP Address) associated with a specific telephone number (E.164 number) .


More Information RFC 2916 , RFC 3761