[TBD]Understanding Linux networking

Introduction

Laymen explanation

Technical explanation

Useful IP commands

Q&A

Which interface will see traffic if from the same box, I ping an interface IP

A: Loopback interface

Understanding packet flow for ping to interface in same box

root@ubuntu:~/personal/auto# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether d2:7b:ed:29:3c:92 brd ff:ff:ff:ff:ff:ff

inet 10.102.169.37/24 brd 10.102.169.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::d07b:edff:fe29:3c92/64 scope link

valid_lft forever preferred_lft forever

root@ubuntu:~/personal/auto# tcpdump -i eth0 icmp &

[1] 7617

root@ubuntu:~/personal/auto# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

root@ubuntu:~/personal/auto# ping 10.102.169.37 -c 1

PING 10.102.169.37 (10.102.169.37) 56(84) bytes of data.

64 bytes from 10.102.169.37: icmp_seq=1 ttl=64 time=0.040 ms

--- 10.102.169.37 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.040/0.040/0.040/0.000 ms

root@ubuntu:~/personal/auto# fg

tcpdump -i eth0 icmp

^C

1 packet captured

1 packet received by filter

0 packets dropped by kernel

root@ubuntu:~/personal/auto# tcpdump -i lo icmp &

[1] 7828

root@ubuntu:~/personal/auto# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes

root@ubuntu:~/personal/auto# ping 10.102.169.37 -c 1

PING 10.102.169.37 (10.102.169.37) 56(84) bytes of data.

64 bytes from 10.102.169.37: icmp_seq=1 ttl=64 time=0.052 ms

--- 10.102.169.37 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.052/0.052/0.052/0.000 ms

root@ubuntu:~/personal/auto# 11:06:06.791656 IP 10.102.169.37 > 10.102.169.37: ICMP echo request, id 7829, seq 1, length 64

11:06:06.791671 IP 10.102.169.37 > 10.102.169.37: ICMP echo reply, id 7829, seq 1, length 64

root@ubuntu:~/personal/auto#

How to create a virtual interface in a box whose IP can be accessed from other box

Please use below steps

• Create interface using ip link

• Set ip to interface using ip adds

• Set route using ip route

configure new virtual interface with routable IP

root@ubuntu:~/personal/auto# ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

link/ether d2:7b:ed:29:3c:92 brd ff:ff:ff:ff:ff:ff

3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default

link/ether 02:42:8a:93:0c:72 brd ff:ff:ff:ff:ff:ff

root@ubuntu:~/personal/auto# ip link add type veth

root@ubuntu:~/personal/auto# ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

link/ether d2:7b:ed:29:3c:92 brd ff:ff:ff:ff:ff:ff

3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default

link/ether 02:42:8a:93:0c:72 brd ff:ff:ff:ff:ff:ff

58: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000

link/ether 92:cd:be:f2:fe:61 brd ff:ff:ff:ff:ff:ff

59: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000

link/ether 76:d3:53:35:8f:b9 brd ff:ff:ff:ff:ff:ff

root@ubuntu:~/personal/auto# ip addr add 10.102.169.38/24 dev veth0

root@ubuntu:~/personal/auto# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

link/ether d2:7b:ed:29:3c:92 brd ff:ff:ff:ff:ff:ff

inet 10.102.169.37/24 brd 10.102.169.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::d07b:edff:fe29:3c92/64 scope link

valid_lft forever preferred_lft forever

3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default

link/ether 02:42:8a:93:0c:72 brd ff:ff:ff:ff:ff:ff

inet 172.17.0.1/16 scope global docker0

valid_lft forever preferred_lft forever

inet6 fe80::42:8aff:fe93:c72/64 scope link

valid_lft forever preferred_lft forever

58: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000

link/ether 92:cd:be:f2:fe:61 brd ff:ff:ff:ff:ff:ff

inet 10.102.169.38/24 scope global veth0

valid_lft forever preferred_lft forever

59: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000

link/ether 76:d3:53:35:8f:b9 brd ff:ff:ff:ff:ff:ff

root@ubuntu:~/personal/auto# ip route

default via 10.102.169.1 dev eth0 onlink

10.102.169.0/24 dev eth0 proto kernel scope link src 10.102.169.37

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

root@ubuntu:~/personal/auto# ip route add 10.102.169.38/32 via 10.102.169.37 dev eth0

root@ubuntu:~/personal/auto# ip route

default via 10.102.169.1 dev eth0 onlink

10.102.169.0/24 dev eth0 proto kernel scope link src 10.102.169.37

10.102.169.38 via 10.102.169.37 dev eth0

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

Useful link: https://serverfault.com/questions/323642/ip-route-add-rtnetlink-answers-file-exists

How to check software bridge

Install brctl tool and run brtl show command

brctl tool for checking bridges

[root@ubuntu /]# brctl show

bridge name bridge id STP enabled interfaces

br-96900f6adc12 8000.02425a59a52b no

br-a6e28d2345f1 8000.024265791196 no

br-b10c04cf75eb 8000.0242ff1f529a no

docker0 8000.0242988f66d8 no veth3817652

veth5f13d8e

Useful link: https://linux.die.net/man/8/brctl

How to check the process id (pid) which is listening on the specific port

use -p option of netstat command

list down pid of all tcp/udp ports

root@ubuntu:~# netstat -atnp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 966/sshd

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 14239/master

tcp 0 0 10.102.53.248:43296 10.102.53.232:22 ESTABLISHED 27472/ssh

tcp 0 296 10.102.53.248:22 10.252.242.108:50579 ESTABLISHED 18503/0

tcp 0 0 10.102.53.248:60638 10.106.102.141:22 ESTABLISHED 10866/ssh

tcp6 0 0 :::80 :::* LISTEN 18711/docker-proxy

tcp6 0 0 :::22 :::* LISTEN 966/sshd

tcp6 0 0 :::5080 :::* LISTEN 18737/docker-proxy

tcp6 0 0 :::25 :::* LISTEN 14239/master

tcp6 0 0 :::443 :::* LISTEN 18699/docker-proxy

tcp6 0 0 :::5443 :::* LISTEN 18723/docker-proxy

root@ubuntu:~# netstat -aunp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

udp 0 0 0.0.0.0:49289 0.0.0.0:* 1071/snmpd

udp 0 0 127.0.0.1:161 0.0.0.0:* 1071/snmpd

Reference: https://stackoverflow.com/questions/9856590/determine-the-process-pid-listening-on-a-certain-port

How to create docker bridge mode container with assigned IP in the range of Host network IP

Use macvlan feature of docker container as shown in example

How to create docker host mode container with assigned IP in the range of Host network IP

Use Linux macvlan feature as shown in below example.

How to see iptables rules

Use iptables -S

Example iptables rules listing

root@minion1:~# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N DOCKER

-N DOCKER-ISOLATION

-N DOCKER-USER

-N KUBE-FIREWALL

-N KUBE-SERVICES

-A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES

-A INPUT -j KUBE-FIREWALL

-A FORWARD -j DOCKER-USER

-A FORWARD -j DOCKER-ISOLATION

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

-A FORWARD -s 10.244.0.0/16 -j ACCEPT

-A FORWARD -d 10.244.0.0/16 -j ACCEPT

-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES

-A OUTPUT -j KUBE-FIREWALL

-A DOCKER-ISOLATION -j RETURN

-A DOCKER-USER -j RETURN

-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP

How to see iptables nat rules

use iptables -t nat -L -n

iptables -t nat -L -n

[root@ubuntu ~]# iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

MASQUERADE all -- 172.19.0.0/16 0.0.0.0/0

MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0

MASQUERADE all -- 1.1.1.0/24 0.0.0.0/0

MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0

MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:22

MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:22

Chain DOCKER (2 references)

target prot opt source destination

RETURN all -- 0.0.0.0/0 0.0.0.0/0

RETURN all -- 0.0.0.0/0 0.0.0.0/0

RETURN all -- 0.0.0.0/0 0.0.0.0/0

RETURN all -- 0.0.0.0/0 0.0.0.0/0

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7022 to:172.17.0.2:22

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8022 to:172.17.0.5:22

[root@ubuntu ~]#

Method to change iptables forwarding rule to drop forwarding traffic

Use iptables -P FORWARD command

Example to drop forwarding traffic

[root@ubuntu ~]# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N DOCKER

-N DOCKER-ISOLATION

-A FORWARD -j DOCKER-ISOLATION

-A FORWARD -o br-a6e28d2345f1 -j DOCKER

-A FORWARD -o br-a6e28d2345f1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i br-a6e28d2345f1 ! -o br-a6e28d2345f1 -j ACCEPT

-A FORWARD -i br-a6e28d2345f1 -o br-a6e28d2345f1 -j ACCEPT

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

-A FORWARD -o br-b10c04cf75eb -j DOCKER

-A FORWARD -o br-b10c04cf75eb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i br-b10c04cf75eb ! -o br-b10c04cf75eb -j ACCEPT

-A FORWARD -i br-b10c04cf75eb -o br-b10c04cf75eb -j ACCEPT

-A FORWARD -o br-96900f6adc12 -j DOCKER

-A FORWARD -o br-96900f6adc12 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i br-96900f6adc12 ! -o br-96900f6adc12 -j ACCEPT

-A FORWARD -i br-96900f6adc12 -o br-96900f6adc12 -j ACCEPT

-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT

-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT

-A DOCKER-ISOLATION -i br-b10c04cf75eb -o br-a6e28d2345f1 -j DROP

-A DOCKER-ISOLATION -i br-a6e28d2345f1 -o br-b10c04cf75eb -j DROP

-A DOCKER-ISOLATION -i br-96900f6adc12 -o br-a6e28d2345f1 -j DROP

-A DOCKER-ISOLATION -i br-a6e28d2345f1 -o br-96900f6adc12 -j DROP

-A DOCKER-ISOLATION -i docker0 -o br-a6e28d2345f1 -j DROP

-A DOCKER-ISOLATION -i br-a6e28d2345f1 -o docker0 -j DROP

-A DOCKER-ISOLATION -i br-96900f6adc12 -o docker0 -j DROP

-A DOCKER-ISOLATION -i docker0 -o br-96900f6adc12 -j DROP

-A DOCKER-ISOLATION -i br-b10c04cf75eb -o docker0 -j DROP

-A DOCKER-ISOLATION -i docker0 -o br-b10c04cf75eb -j DROP

-A DOCKER-ISOLATION -i br-96900f6adc12 -o br-b10c04cf75eb -j DROP

-A DOCKER-ISOLATION -i br-b10c04cf75eb -o br-96900f6adc12 -j DROP

-A DOCKER-ISOLATION -j RETURN

[root@ubuntu ~]# iptables -P FORWARD DROP

[root@ubuntu ~]# iptables -S

-P INPUT ACCEPT

-P FORWARD DROP

-P OUTPUT ACCEPT

-N DOCKER

-N DOCKER-ISOLATION

-A FORWARD -j DOCKER-ISOLATION

-A FORWARD -o br-a6e28d2345f1 -j DOCKER

-A FORWARD -o br-a6e28d2345f1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i br-a6e28d2345f1 ! -o br-a6e28d2345f1 -j ACCEPT

-A FORWARD -i br-a6e28d2345f1 -o br-a6e28d2345f1 -j ACCEPT

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

-A FORWARD -o br-b10c04cf75eb -j DOCKER

-A FORWARD -o br-b10c04cf75eb -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i br-b10c04cf75eb ! -o br-b10c04cf75eb -j ACCEPT

-A FORWARD -i br-b10c04cf75eb -o br-b10c04cf75eb -j ACCEPT

-A FORWARD -o br-96900f6adc12 -j DOCKER

-A FORWARD -o br-96900f6adc12 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i br-96900f6adc12 ! -o br-96900f6adc12 -j ACCEPT

-A FORWARD -i br-96900f6adc12 -o br-96900f6adc12 -j ACCEPT

-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT

-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT

-A DOCKER-ISOLATION -i br-b10c04cf75eb -o br-a6e28d2345f1 -j DROP

-A DOCKER-ISOLATION -i br-a6e28d2345f1 -o br-b10c04cf75eb -j DROP

-A DOCKER-ISOLATION -i br-96900f6adc12 -o br-a6e28d2345f1 -j DROP

-A DOCKER-ISOLATION -i br-a6e28d2345f1 -o br-96900f6adc12 -j DROP

-A DOCKER-ISOLATION -i docker0 -o br-a6e28d2345f1 -j DROP

-A DOCKER-ISOLATION -i br-a6e28d2345f1 -o docker0 -j DROP

-A DOCKER-ISOLATION -i br-96900f6adc12 -o docker0 -j DROP

-A DOCKER-ISOLATION -i docker0 -o br-96900f6adc12 -j DROP

-A DOCKER-ISOLATION -i br-b10c04cf75eb -o docker0 -j DROP

-A DOCKER-ISOLATION -i docker0 -o br-b10c04cf75eb -j DROP

-A DOCKER-ISOLATION -i br-96900f6adc12 -o br-b10c04cf75eb -j DROP

-A DOCKER-ISOLATION -i br-b10c04cf75eb -o br-96900f6adc12 -j DROP

-A DOCKER-ISOLATION -j RETURN

[root@ubuntu ~]# [

Useful link: http://www.thegeekstuff.com/2011/06/iptables-rules-examples/?utm_source=feedburner

Method to configure additional IP in a docker container which is in the same network as host

Method to configure additional IP in a docker container which is in the same network as host

root@ubuntu16Golden:~# docker exec -it dkcpx bash

root@ubuntu16Golden:/# cli_script.sh 'sh ns ip'

exec: sh ns ip

Ipaddress Traffic Domain Type Mode Arp Icmp Vserver State

--------- -------------- ---- ---- --- ---- ------- ------

1) 192.168.1.2 0 NetScaler IP Active Enabled Enabled NA Enabled

2) 192.0.0.1 0 SNIP Active Enabled Enabled NA Enabled

Done

root@ubuntu16Golden:/# cli_script.sh 'add ns ip 10.106.90.9 255.255.255.0'

exec: add ns ip 10.106.90.9 255.255.255.0

Done

root@ubuntu16Golden:/# cli_script.sh 'sh ns ip'

exec: sh ns ip

Ipaddress Traffic Domain Type Mode Arp Icmp Vserver State

--------- -------------- ---- ---- --- ---- ------- ------

1) 192.168.1.2 0 NetScaler IP Active Enabled Enabled NA Enabled

2) 192.0.0.1 0 SNIP Active Enabled Enabled NA Enabled

3) 10.106.90.9 0 SNIP Active Enabled Enabled NA Enabled

Done

root@ubuntu16Golden:/# exit

exit

root@ubuntu16Golden:~# ping -c 1 10.106.90.9

PING 10.106.90.9 (10.106.90.9) 56(84) bytes of data.

From 10.106.90.6 icmp_seq=1 Destination Host Unreachable

--- 10.106.90.9 ping statistics ---

1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

root@ubuntu16Golden:~# ip route add 10.106.90.9 dev vethcpx0 scope link

root@ubuntu16Golden:~# ping -c 1 10.106.90.9

PING 10.106.90.9 (10.106.90.9) 56(84) bytes of data.

64 bytes from 10.106.90.9: icmp_seq=1 ttl=255 time=0.118 ms

--- 10.106.90.9 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.118/0.118/0.118/0.000 ms

root@ubuntu16Golden:~# route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 10.106.90.1 0.0.0.0 UG 0 0 0 eth0

10.106.90.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

10.106.90.9 0.0.0.0 255.255.255.255 UH 0 0 0 vethcpx0

172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vethcpx0

root@ubuntu16Golden:~# iptables -S | grep FORWARD

-P FORWARD ACCEPT

-A FORWARD -j DOCKER-ISOLATION

-A FORWARD -o docker0 -j DOCKER

-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

-A FORWARD -i docker0 -o docker0 -j ACCEPT

root@ubuntu16Golden:~#

-----

Note to enable IP forwarding rule otherwise packet will be dropped by linux kernel if pinged from other machine.

------

Here, NetScaler CPX has been created via 'docker run -dt --name dkcpx --privileged=true --ulimit core=-1 --net=host -e EULA=ok -e NS_NETMODE=HOST cpx:12.0-56.16' command

Method to filter interfaces with duplicate MAC addresses

Use ip -d link show command to list such interfaces.

Example to remove dup Macs caused due to vlan

root@cpx-ingress-test-ndg5k:/# cat test.sh

########

#Variables for duplicate mac addresses due to tagged vlans

########

handle_excluded_intf="false"

exclude_intf_list=""

######

# This function list down interfaces which needs to be excluded

#####

function list_excluded_intf()

{

vlan_tagged_intf=$(ip -d link show | grep -B 2 vlan | awk -F': ' '{print $2}' | xargs)

echo "vlan tagged interfaces are $vlan_tagged_intf"

exclude_intf_list=$(for intf in $vlan_tagged_intf; do echo $intf | sed 's/@/ /g' | awk '{print $2}'; done | sort -u | xargs)

if [ ${#exclude_intf_list} -gt 0 ]; then

echo interfaces which needs to be excluded is $exclude_intf_list

handle_excluded_intf="true"

fi

}

list_excluded_intf

nsppedevs=""

netdevnames=`$NETNS ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'`

for name in $netdevnames

do

nsppedevs=$nsppedevs" "$name

done

if [ $handle_excluded_intf == "true" ]

then

echo "Processing to be excluded interface list which is $exclude_intf_list"

echo "nsppedevs is $nsppedevs"

excluded_intf=""

for nsppedev in $nsppedevs

do

if [[ $exclude_intf_list = *${nsppedev}* ]]

then

echo Excluding intf $nsppedev

excluded_intf=$excluded_intf" "$nsppedev

fi

done

excluded_intf=$(echo $excluded_intf | xargs -n1 | sort -u | xargs)

echo "Excluded interface list is $excluded_intf"

list_with_excluded=$(echo "$excluded_intf $nsppedevs" | xargs -n1 | sort)

included_intf_list=$(uniq -u <(echo "${list_with_excluded}"))

echo "Included interface list is $included_intf_list"

nsppedevs=$included_intf_list

fi

root@cpx-ingress-test-ndg5k:/#

root@cpx-ingress-test-ndg5k:/# bash test.sh

vlan tagged interfaces are eth0@enp129s1f6d2

interfaces which needs to be excluded is enp129s1f6d2

Processing to be excluded interface list which is enp129s1f6d2

nsppedevs is enp129s1f6d2 eth0 mgmt0

Excluding intf enp129s1f6d2

Excluded interface list is enp129s1f6d2

Included interface list is eth0

mgmt0

root@cpx-ingress-test-ndg5k:/# ip -d link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0

3: mgmt0@if1481: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default

link/ether 0a:58:ac:14:00:c0 brd ff:ff:ff:ff:ff:ff link-netnsid 0 promiscuity 0

veth

4: eth0@enp129s1f6d2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc noqueue state UP mode DEFAULT group default qlen 1000

link/ether 8e:a2:00:18:00:21 brd ff:ff:ff:ff:ff:ff promiscuity 0

vlan protocol 802.1Q id 2 <REORDER_HDR>

49: enp129s1f6d2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000

link/ether 8e:a2:00:18:00:21 brd ff:ff:ff:ff:ff:ff promiscuity 0

root@cpx-ingress-test-ndg5k:/#

Useful link: Personal try

Method to ensure true hitless reload of a TCP server

Use qdisc feature of linux along with SO_REUSEPORT. Refer HAPorxy hitless reload

About QDisc: a qdisc is a scheduler (Section 3.2). Every output interface needs a scheduler of some kind, and the default scheduler is a FIFO. Other qdiscs available under Linux will rearrange the packets entering the scheduler's queue in accordance with that scheduler's rules.

Useful link: https://www.haproxy.com/blog/truly-seamless-reloads-with-haproxy-no-more-hacks/

http://tldp.org/HOWTO/Traffic-Control-HOWTO/components.html#c-qdisc

Reference

Personal experience

In-line reference pages