search

parsa-epfl / qflex

Quick & Flexible Rack-Scale Computer Architecture Simulator
http://qflex.epfl.ch/
31 stars 10 forks source link

mrun does not take care of iptables #6

Closed altostratous closed 10 months ago

altostratous commented 6 years ago

Description

If the host machine has iptables enabled, then mrun wont guaranty connectivity between Qemu instances and in case iptables FORWARD Chain is not capable of forwarding the ns3 network packets the network between Qemu instances doesn't work.

How to reproduce

To reproduce this issue it is enough to configure iptables in a way it drops or rejects packets which are assumed to be forwarded and then try to run multiple Qemu instances with mrun configured to be run in an ns3 network.

Proposed Solutions

  1. Add a piece of code in mrun after bringing up the bridges to add ACCEPT forwarding rules to iptables and remove these rules while tearing down the network.
  2. Add an administrative gotcha in documentation or mrun help.

Also there's a workaround to overcome this issue by disabling iptables for Linux bridges. Which can be done like the following: ~# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

Further Details

I am currently using the commit 4d938fa97c6984ab3d5f7c9b52f890ecfec72593 from qflex and I have already pulled images from install-docker-update branch of the images sub-module.

I am using this command to run the multiple Qemu instances: ~# ./mrun -r qemu-setup-sample-file.xml -qmp -ns /home/aasgari/Documents/qflex/3rdparty/ns3

My mrun configuration files are like these:

<!-- qemu-setup-sample-file.xml -->
<setup>
    <instance>
        <file>/home/aasgari/Documents/qflex/scripts/mrun/q1.xml</file>
    </instance>
        <instance>
        <file>/home/aasgari/Documents/qflex/scripts/mrun/q2.xml</file>
    </instance>
</setup>
<!-- /home/aasgari/Documents/qflex/scripts/mrun/q1.xml -->
<instance>
    <executable>
        <binary>/home/aasgari/Documents/qflex/qemu/aarch64-softmmu/qemu-system-aarch64</binary>
    </executable>
    <parameter>
        <enabled>on</enabled>
        <option>-machine</option>
        <arg>virt</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-cpu</option>
        <arg>cortex-a57</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-smp</option>
        <arg>4
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-m</option>
        <arg>2000</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-kernel</option>
        <arg>/home/aasgari/Documents/qflex/images/ubuntu-16.04-blank/vmlinuz-4.4.0-83-generic
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-initrd</option>
        <arg>/home/aasgari/Documents/qflex/images/ubuntu-16.04-blank/initrd.img-4.4.0-83-generic-DockerInstalled</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-append</option>
        <arg>'root=/dev/sda2'
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-global</option>
        <arg>virtio-blk-device.scsi=off</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-device</option>
        <arg>virtio-scsi-device,id=scsi
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-drive</option>
        <arg>
            file=/home/aasgari/Documents/qflex/images/ubuntu-16.04-blank/ubuntu-16.04-lts-blank.qcow2,id=rootimg,cache=unsafe,if=none
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-device</option>
        <arg>scsi-hd,drive=rootimg</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-rtc</option>
        <arg>driftfix=slew</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-serial</option>
        <arg>telnet:localhost:5555,server,nowait</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-name</option>
        <arg>q1</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-accel</option>
        <arg>tcg,thread=single</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-nographic</option>
        <arg>
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-netdev</option>
        <arg>user,id=net1,hostfwd=tcp::2222-:22</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-device</option>
        <arg>virtio-net-device,mac=52:54:00:00:02:12,netdev=net1</arg>
    </parameter>
        <parameter>
        <enabled>on</enabled>
        <option>-exton</option>
        <arg></arg>
    </parameter>
</instance>
<!-- /home/aasgari/Documents/qflex/scripts/mrun/q2.xml -->
<instance>
    <executable>
        <binary>/home/aasgari/Documents/qflex/qemu/aarch64-softmmu/qemu-system-aarch64</binary>
    </executable>
    <parameter>
        <enabled>on</enabled>
        <option>-machine</option>
        <arg>virt</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-cpu</option>
        <arg>cortex-a57</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-smp</option>
        <arg>4
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-m</option>
        <arg>2000</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-kernel</option>
        <arg>/home/aasgari/Documents/qflex/images/ubuntu-16.04-blank/vmlinuz-4.4.0-83-generic
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-initrd</option>
        <arg>/home/aasgari/Documents/qflex/images/ubuntu-16.04-blank/initrd.img-4.4.0-83-generic-DockerInstalled</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-append</option>
        <arg>'root=/dev/sda2'
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-global</option>
        <arg>virtio-blk-device.scsi=off</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-device</option>
        <arg>virtio-scsi-device,id=scsi
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-drive</option>
        <arg>
            file=/home/aasgari/Documents/qflex/images/ubuntu-16.04-blank/ubuntu-16.04-lts-blank.qcow2,id=rootimg,cache=unsafe,if=none
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-device</option>
        <arg>scsi-hd,drive=rootimg</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-rtc</option>
        <arg>driftfix=slew</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-serial</option>
        <arg>telnet:localhost:5556,server,nowait</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-name</option>
        <arg>q2</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-accel</option>
        <arg>tcg,thread=single</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-nographic</option>
        <arg>
        </arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-netdev</option>
        <arg>user,id=net1,hostfwd=tcp::2221-:22</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-device</option>
        <arg>virtio-net-device,mac=52:54:00:00:02:13,netdev=net1</arg>
    </parameter>
    <parameter>
        <enabled>on</enabled>
        <option>-exton</option>
        <arg></arg>
    </parameter>
</instance>

Also the output from ~# iptables -L -v which contains iptables rules and stats, for the FORWARD chain after sending 10000 UDP packets from one of the Qemu instances to the other just after the operation was done and having it reset before the operation is the following (I had already initialized eth0 for each Qemu instance with local IPs and used echo hello > /dev/udp/[other qemu IP]/[port] to send the UDP packets):

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
10000  340K DOCKER-USER  all  --  any    any     anywhere             anywhere            
10000  340K DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    br-e68495d486fc  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    br-e68495d486fc  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-e68495d486fc !br-e68495d486fc  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-e68495d486fc br-e68495d486fc  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    br-dc42555c70a5  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    br-dc42555c70a5  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-dc42555c70a5 !br-dc42555c70a5  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-dc42555c70a5 br-dc42555c70a5  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    br-993cfd405bb4  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    br-993cfd405bb4  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-993cfd405bb4 !br-993cfd405bb4  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-993cfd405bb4 br-993cfd405bb4  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    br-42830f4fa203  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    br-42830f4fa203  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-42830f4fa203 !br-42830f4fa203  anywhere             anywhere            
    0     0 ACCEPT     all  --  br-42830f4fa203 br-42830f4fa203  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere            
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere            
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
10000  340K FORWARD_direct  all  --  any    any     anywhere             anywhere            
10000  340K FORWARD_IN_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
10000  340K FORWARD_IN_ZONES  all  --  any    any     anywhere             anywhere            
10000  340K FORWARD_OUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
10000  340K FORWARD_OUT_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
10000  340K REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited

Which sounds like the last rule is applied and the UDP packets are rejected.