connman: session api
TRANSCRIPT
ConnMan: Session API
Daniel Wagner <[email protected]>
Automotive Linux Summit
Edinburgh, 25th October 2013
NETWORK MANAGEMENT.
SolvedEnterprise networking
is mostly 'sorted out'
NETWORK MANAGEMENT.
Well, no, not completelyMobile devices
WHERE ARE WE HEADING TO?
http://commons.wikimedia.org/wiki/File%3A1606_Mercator_Hondius_Map_of_the_Arctic_(First_Map_of_the_North_Pole)_-_Geographicus_-_NorthPole-mercator-1606.jpghttp://www.geographicus.com/mm5/cartographers/mercator.txt [Public domain], via Wikimedia Commons
Robert Jemimus, http://bit.ly/19HomBZ
http://anysnapshot.com/
Ryan Lane, http://bit.ly/1bxwmqm
PROBLEMS TO ADDRESS.
● Is the system actually online?● Thundering herd problem● Finer-grained usage statistics for the net● Per application routing
ANDROID.
ANDROID ARCHITECTURE.
Needs two additional netfilter modules● xt_qtaguid: tags all traffic from/to sockets
● quota2: Accounting and enforcing. Counters reported through NFLOG.
See Linux Plumbers Conference for more details
● 'Android netfilter changes'
● http://www.youtube.com/watch?v=Fi_iyaF7Gw0
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
ANDROID IPTABLES.
...
Chain bw_INPUT (1 references) pkts bytes target prot opt in out source destination 14 1379 all !lo+ any anywhere anywhere \
! quota globalAlert: 2097152 bytes 8 456 RETURN all lo any anywhere anywhere 864 322K all any any anywhere anywhere
owner socket exists
Chain bw_OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 all any !lo+ anywhere anywhere \
! quota globalAlert: 2097152 bytes 8 456 RETURN all any lo anywhere anywhere 1028 329K all any any anywhere anywhere \
owner socket exists
...
ANDROID STATS.
root@android:/proc/net/xt_qtaguid # cat stats idx iface acct_tag_hex uid_tag_int cnt_set rx_bytes rx_packets tx_bytes tx_packets rx_tcp_bytes rx_tcp_packets rx_udp_bytes rx_udp_packets rx_other_bytes rx_other_packets tx_tcp_bytes tx_tcp_packets tx_udp_bytes tx_udp_packets tx_other_bytes tx_other_packets2 wlan0 0x0 0 0 56673 611 13000 200 6700 112 44845 432 5128 67 3692 65 5636 80 3672 553 wlan0 0x0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 04 wlan0 0x0 1000 0 428 6 521 7 352 5 76 1 0 0 445 6 76 1 0 05 wlan0 0x0 1000 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 06 wlan0 0x0 10017 0 52 1 3024 54 52 1 0 0 0 0 3024 54 0 0 0 07 wlan0 0x0 10017 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 08 wlan0 0x0 10035 0 57887 146 32108 205 57887 146 0 0 0 0 32108 205 0 0 0 09 wlan0 0x0 10035 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 010 wlan0 0x0 10038 0 9594 57 10710 60 9594 57 0 0 0 0 10710 60 0 0 0 011 wlan0 0x0 10038 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 012 wlan0 0x0 10053 0 917 3 561 5 917 3 0 0 0 0 561 5 0 0 0 013 wlan0 0x0 10053 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 014 wlan0 0x0 10057 0 123227989 96715 2388226 34203 123227989 96715 0 0 0 0 2388226 34203 0 0 0 0
CONNMAN ARCHITECTURE.
CURRENT IMPLEMENTATION.
iptables & NFACCT – per applications rules
– global rules
– policy routing
iptables t mangle A OUTPUT m owner –uidowner 1234 j MARK –setmark 1234iptables t filter A INPUT m mark –mark 1234 m nfacct –nfacctname foo1234iptables t filter A OUTPUT m mark –mark 1234 m nfacct –nfacctname foo1234
iptables t mangle A INPUT j CONNMARK –restoremarkiptables t mangle A POSTROUTING j CONNMARK –savemark
ip rule add fwmark 1234 table 1234 ip route add default via 1.2.3.4 dev wlan0 table 1234
DRAWBACKS.
● Many IPTABLE rules– 3 rules per application
● Many NFACCTs– At least 2 per application
– We need to poll for updates (power consumption!)
NFQUEUE.
Allows doing all sorts of counting in userspace
enum nfqnl_attr_type {NFQA_UNSPEC,NFQA_PACKET_HDR,NFQA_VERDICT_HDR, /* nfqnl_msg_verdict_hrd */NFQA_MARK, /* __u32 nfmark */NFQA_TIMESTAMP, /* nfqnl_msg_packet_timestamp */NFQA_IFINDEX_INDEV, /* __u32 ifindex */NFQA_IFINDEX_OUTDEV, /* __u32 ifindex */NFQA_IFINDEX_PHYSINDEV, /* __u32 ifindex */NFQA_IFINDEX_PHYSOUTDEV, /* __u32 ifindex */NFQA_HWADDR, /* nfqnl_msg_packet_hw */NFQA_PAYLOAD, /* opaque data payload */NFQA_CT, /* nf_conntrack_netlink.h */NFQA_CT_INFO, /* enum ip_conntrack_info */NFQA_CAP_LEN, /* __u32 length of captured packet */NFQA_SKB_INFO, /* __u32 skb meta information */NFQA_EXP, /* nf_conntrack_netlink.h */
__NFQA_MAX};
CONNTRACK.
# conntrack E [NEW] udp 17 30 src=192.168.15.222 dst=192.168.255.255 sport=137 dport=137 [UNREPLIED] \
src=192.168.255.255 dst=192.168.15.222 sport=137 dport=137 [NEW] udp 17 30 src=192.168.101.53 dst=192.168.255.255 sport=57621 dport=57621 [UNREPLIED]\ src=192.168.255.255 dst=192.168.101.53 sport=57621 dport=57621[DESTROY] udp 17 src=192.168.101.73 dst=192.168.255.255 sport=137 dport=137 [UNREPLIED] \
src=192.168.255.255 dst=192.168.101.73 sport=137 dport=137[DESTROY] udp 17 src=192.168.101.73 dst=192.168.255.255 sport=138 dport=138 [UNREPLIED] \
src=192.168.255.255 dst=192.168.101.73 sport=138 dport=138
THE FUTURE: CGROUP?
● Placing application into cgroups● netfilter: match on cgroup id