How to count the packets flowing through network namespace using pyroute2?

[rishi narian]

Hi,

  I would like to count the packets flowing through network namespace using iptables or netfilter. Can it be possible  to get the packet counters using pyroute2 library?

[TheDiveO]

If you get them for the host network namespace, then ypu can get them also for other network namespaces. The issue here is how to "know" that a certain namespace exists and how to access it. From what I've seen when looking at the netns code in pyroute2, it supports out of the box only network namespaces registered in /var/run/netns. Thus, no docker, ...

However, what I'm doing is as follows: there's a python package nsenter. I'm using that to enter a network namespace, then create an IPRoute object and query the information I'm interested in while in this namespace, leave, done. You can find namespaces using /proc/PID/ns/net or other means. No need to switch the mount namespace as long as you're not forking any tools that rely on /sys/class/net.

[Peter Saveliev]

…

$ cat test0.nft
#! /usr/sbin/nft -f

table test0 {
    chain test_chain {
        type filter hook input priority 0;
        policy accept;
        counter;
    }
}

…

# install nft in a docker container

…

$ sudo python
…

>>> from pyroute2 import netns

>>> from pyroute2 import NFTables
>>> netns.NETNS_RUN_DIR = '/var/run/docker/netns/'
>>> netns.listnetns()
['df46fb9d1259']
>>> netns.setns('df46fb9d1259')
3
>>> nft = NFTables()

>>> nft.get_rules()
[{'attrs': [('NFTA_RULE_TABLE', 'test0'),
   ('NFTA_RULE_CHAIN', 'test_chain'),
   ('NFTA_RULE_HANDLE', 2),
   ('NFTA_RULE_EXPRESSIONS', [{'attrs': [('NFTA_EXPR_NAME', 'counter'), ('NFTA_EXPR_DATA', {'attrs': [('NFTA_COUNTER_BYTES', 336), ('NFTA_COUNTER_PACKETS', 4)]})]}])],
  'header': {'error': None,
   'flags': 2050,
   'length': 108,
   'pid': 6384,
   'sequence_number': 255,
   'type': 2566},
  'nfgen_family': 2,
  'res_id': 2,
  'version': 0}]
>>> (nft.get_rules()[0]                      # work with the only rule
... .get_attr('NFTA_RULE_EXPRESSIONS')[0]    # expressions are always a list
... .get_attr('NFTA_EXPR_DATA')
... .get_attr('NFTA_COUNTER_BYTES'))         # or NFTA_COUNTER_PACKETS, if you like
336

2018-05-09 6:50 GMT+02:00 TheDiveO <harald....@gmx.net>:

If you get them for the host network namespace, then ypu can get them also for other network namespaces. The issue here is how to "know" that a certain namespace exists and how to access it. From what I've seen when looking at the netns code in pyroute2, it supports out of the box only network namespaces registered in /var/run/netns. Thus, no docker, ...

However, what I'm doing is as follows: there's a python package nsenter. I'm using that to enter a network namespace, then create an IPRoute object and query the information I'm interested in while in this namespace, leave, done. You can find namespaces using /proc/PID/ns/net or other means. No need to switch the mount namespace as long as you're not forking any tools that rely on /sys/class/net.

--
You received this message because you are subscribed to the Google Groups "pyroute2-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pyroute2-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Peter Saveliev]

I mean that

1. you may set the netns dir with netns.NETNS_RUN_DIR, so you can enter any netns be it standard or docker

2. just use NFTables.get_rules() to access the counter rule

[rishi narian]

Hi Peter/all,

 

  Thanks a lot for your ideas. I will use this logic and implement my functionality.

 

Regards

--Muni

 

Sent from Mail for Windows 10

To unsubscribe from this group and stop receiving emails from it, send an email to pyroute2-dev...@googlegroups.com.