MB86977 Montavista-Linux

Manual

2004/07/23

FUJITSU LSI SOLUTION LIMITED

Table of Contents

１．Introduction.............................................................................. 3

２．Structure of the system ........................................................... 3

３．Outline of the system............................................................... 4

４．CM_LINUX............................................................................... 5

４．１． Network interfaces ............................................................. 5 ４．２． Device node addition........................................................... 7

５．The Camelotd daemon ............................................................. 8

５．１．System activation ................................................................ 8 ５．２．Internal information .......................................................... 11 ５．３．User mode and Kernel mode ............................................... 18

６．Using the Camelot Router ..................................................... 19

６．１．NAT ................................................................................. 19 ６．２．IP Forwarding ................................................................... 21 ６．３．PPPOE ............................................................................. 22 ６．４ The Filter ........................................................................... 23 ６．５．The filter counter............................................................... 25 ６．６．The Filter log .................................................................... 26 ６．７．ＤＭＺ............................................................................... 27 ６．８．ＱＯＳ............................................................................... 29

７． Debugging............................................................................. 31

1. Introduction This document describes a system based on MontaVista’s Linux for the MB86977 developed by MontaVista Software Inc.

2. Structure of the system The development board features a CPU(ARM), SDRAM(8Mbyte), FLASH(8Mbyte), MB86977(Camelot) and was developed by Elmic Systems. The system consists of a daemon (“camelotd”) and a Linux system specially designed for MB86977 (“CM_LINUX”).

3. Outline of the system The following diagram is a basic idea of the system which we shall call the “Camelot router”. The CM_LINUX(in grey) operates as a router. Normally, routing will be processed as shown by the blue arrows. Camelot is controlled by the camelotd (in pink) in this CM_LINUX system. Camelotd receives information (such as connection information) from the netfilter(sky blue) and netlink(yellow arrows) functions, and registers/deletes connection information from Camelot as required (pink arrows). From then on, packets that match the registered connection information will pass through Camelot (the black arrows), hence resulting in a router that can route packets at high speeds. The above is an explanation of user-mode Camelot. There is also a kernel-mode Camelot (red arrows) that can register/delete connections from camelot even faster. We shall look into this later in Chapter 5.3.

CAMELOT

Driver

Stack NETFILTER

CAMELOTD

HardWare

User

Kernel

Network

Routing

4. CM_LINUX Normally a driver is developed for new hardware when adding it to the Linux kernel, however for Camelot, we must revise the netfilter and also add netlink functionality, (of which the details we shall not dwelve into here), and also alter other things which shall be explained below.

4.1. Network interfaces The names assigned to the network interfaces differ, as shown below. (comments are in blue)

root@192.168.1.1:/usr# ifconfig -a cm0 Link encap:Ethernet HWaddr 00:90:99:18:72:9C inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:25064 errors:0 dropped:0 overruns:0 frame:0 TX packets:17251 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:15248179 (14.5 Mb) TX bytes:2568011 (2.4 Mb) The LAN interface. cm1 Link encap:Ethernet HWaddr 00:90:99:18:72:9C inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2654 errors:0 dropped:0 overruns:0 frame:0 TX packets:1536 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:246371 (240.5 Kb) TX bytes:180680 (176.4 Kb) The DMZ interfaces. This interface shall be displayed regardless of whether it is in use or not. lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) ppp0 Link encap:Point-to-Point Protocol inet addr:218.43.19.231 P-t-P:219.160.1.113 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1 RX packets:1349 errors:0 dropped:0 overruns:0 frame:0 TX packets:2822 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:138170 (134.9 Kb) TX bytes:632122 (617.3 Kb) The PPP Interface. This will be displayed only when a PPPoE connection has been established. wan0 Link encap:Ethernet HWaddr 00:90:99:18:72:9C UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2413 errors:0 dropped:0 overruns:0 frame:0 TX packets:3884 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:231700 (226.2 Kb) TX bytes:758086 (740.3 Kb) The WAN Interface.

4.2. Device node addition Camelot can keep track of when FIN, RST packets for a specific connection have been received, and request to the CM_LINUX for deletion of the connection information. CM_LINUX uses a special device node miscdevice to signal this to camelotd. Please use the mknod command to create the device node. root@192.168.1.1:/usr# mknod /dev/camelot_misc c 10 230

5. The Camelotd daemon 5.1. System activation Camelotd is activated in the background, and can be killed by the kill command (without a –9). root@192.168.1.1:/usr# camelotd –c configuration_file –D0 & The options for the camelotd daemon. (Comments are in blue) "-h " Help. "-c <file> " specify configuration file. "-s " activate in background (cannot be used with –f) "-d " increment the debug level "-t " increment the trace level "-D<level> " assign the debug level "-T<level> " assign the trace level "-l " add timestamp to log "-r " the timestamp will be the real time "-Z " enable DMZ mode "-f <file> " Store debug log in <file> (cannot be used with –s) "-m " Use kernel-mode. (the default is user-mode)

The configuration file is as follows (comments are in blue) ……… # Tag IPv WAN IP WAN DMZ IP DMZ TOS/TC Flow # (4/6) Port Port Label QOS 4 216.136.204.117 0 192.168.2.10 0 0 0 The machine you want to prioritize shall be addressed here. Comment out if not necessary. ……… # Tag IEEE Addr Interface Dynamic WAN Comp DMZ Comp # (colon-separated) (see above) (0/1) (0/1) (0/1) L2 00:11:22:33:44:55 1 1 0 0 L2 99:AA:BB:CC:DD:EE 2 1 1 0 MAC Addresses can be registered statically. Comment out if not needed. ……… # Tag Timeout Period Poll Period # (sec) (sec) CT 50 20 The timeout and polling interval.

Debug levels. The default is 1. DBG_PANIC = 0 DBG_WARN = 1 DBG_INFO = 2 DBG_LOW = 3 DBG_LOWER = 4 DBG_LOWEST= 5 Trace levels. The default is 1. TRACE_ALL = 0 TRACE_HIGH = 1 TRACE_MED = 2 TRACE_LOW = 3 TRACE_LOWER= 4

Be sure to assign a debug log file when using any debug level other than 0. If the debug level is larger than 2, allocate more memory for the socket receive buffer as shown below. echo 65535 > /proc/sys/net/core/rmem_default'

5.2. Internal information

The status of Camelot can be monitored via the network by telnet from a different machine after the camelotd daemon is started.

Prompt> telnet 192.168.1.1 12345 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'.

The above shows a successful telnet attempt (the prompt will not return). Commands may be entered such as the following. quit - exit shell show - show tables matches - show match table (since last match poll) flush - flush tables & state flush_ipf - flush IPF/NAT table flush_l2 - flush L2 table flush_filt_counts - flush (reset) filter counts get - get kernel state & populate tables dump - dump chip internal tables We shall continue with an explanation of the most frequently used commands.

WAN LAN

192.168.1.1 192.168.1.10

PC Camelot router

Most of the general status of Camelot (such as entry and filter information) can be obtained by the dump command, as can be seen below (comments are in blue, entry and filter information are in red). Details about what each value means can be found in the MB86977 User’s Manual. Chip table dump: Direction Analyzing Table: 0: IPv4 a1 192.168.1.0 a2 0.0.0.0 m1 255.255.255.0 m2 0.0.0.0 1: IPv4 a1 192.168.2.1 a2 0.0.0.0 m1 255.255.255.255 m2 0.0.0.0 The direction of the WAN and LAN ports as seen from the DMZ in the direction table when the DMZ has been enabled. L2 Table: Lkup Control Register: DMZ Mode Enabled, No Match Bits: 7 Entry 1: mac 00909918729c intf host STAT WAN DMZ Entry 2: mac ffffffffffff intf host STAT WAN DMZ Entry 3: mac 0002b3ecf0db intf LAN0 DYN Entry 4: mac 0090991878b3 intf LAN1 DYN The L2 MAC Address Table. QOS: 0: DMZ ctl 0x000000c5 IPv4 sa 192.168.2.10 da 216.136.204.117 sp 0000 dp 0000 tos 0000 fl 0000 0: WAN ctl 0x000000c5 IPv4 sa 216.136.204.117 da 218.43.19.231 sp 0000 dp 0000 tos 0000 fl 0000 The QoS Table. This table will be advertized only after the machines stated in the camelotd.cfg have started communication. NAT/IPF: 0: i 192.168.1.30 e 216.136.204.117 n 218.43.19.231 ip 8017 ep 0050 np 8017 id 0001 ed 0010 ctrl 00311001 lma 0002b3ecf0db wma 00057454bc06 1: i 192.168.1.30 e 216.136.204.117 n 218.43.19.231 ip 8018 ep 0051 np 8018 id 0001 ed 0010 ctrl 00311001 lma 0002b3ecf0db wma 00057454bc06 2: i 192.168.2.10 e 216.136.204.117 n 218.43.19.231 ip 9000 ep 0052 np 9000 id 0008 ed 0020 ctrl 00312001

lma 0002b3e380aa wma 00057454bc06 There are three entries in the NAT table (Entry number 2 is in sync with the QoS table) FILTER: filter mode/mask: 0x00000000 / 0x00000000 The Filter mode and the subnet mask. filters in-ip 0: s 0.0.0.0 d 0.0.0.0 dp ffff:0000 sp ffff:0000 protocol value is 1245235 (0x130033) TCP,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,ipv4,entry_valid log,pass,ack_fg_en_0,wan, 1: s 0.0.0.0 d 0.0.0.0 dp 0000:0000 sp 0000:0000 protocol value is 4390967 (0x430037) ICMP,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,icmp_dont_care,ipv4,entry_valid log,pass,wan, 2: s 0.0.0.0 d 0.0.0.0 dp ffff:0000 sp 0035:0035 protocol value is 2490419 (0x260033) UDP,L4_src_range,L4_dont_care_dst,v4_dont_care_dst,v4_dont_care_src,ipv4,entry_valid log,pass,ack_fg_en_1,wan, 3: s 0.0.0.0 d 0.0.0.0 dp 0000:0000 sp 0000:0000 protocol value is 196659 (0x30033) DONTCARE,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,ipv4,entry_valid log,drop,wan, There are four entries in the L3/L4 in-side filter table. filters in-protocol: Nothing is registered in the protocol type in-side filter table. filters out-ip: Nothing is registered in the L3/L4 in-side filter table. filters output-protocol: Nothing is registered in the protocol type out-side filter table. filter counts, in : [0]=15860 [1]=3 [2]=332 [3]=679 The total number of packets that matched the in-side filter is displayed. filter counts, out:

Since there are no entries in the out-side filter, nothing is displayed. Filter log: status 0000000e This displays whether there is a log of the packet that has matched the filter. (This will

be displayed only once since the log will be read-cleared) log input #2: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74, #3: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74, #4: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74, The contents of the packet that has matched an in-side filter entry. log output Nothing is displayed since there are no entries in the out-side filter table. PPPoE 0: sess id f22b code 00 type 1 version 1 The header information is displayed if a PPPoE connection has been established.

The show command is used to display the internal information of Camelotd and can be seen in the following example (the information is in red, comments are in blue) State dump: Interfaces: wan0 0.0.0.0/0.0.0.0 00:90:99:18:72:9c pppoe 218.43.19.231/255.255.255.255 using PPPOE-WAN mode, sid 0000f22b cm0 192.168.1.1/255.255.255.0 00:90:99:18:72:9c cm1 192.168.2.1/255.255.255.248 00:90:99:18:72:9c cm2 0.0.0.0/0.0.0.0 00:00:00:00:00:00 The names, addresses, subnet masks, and MAC address of each of Camelot router network interface. Neighbor table: 192.168.2.3 00:90:99:18:99:9c 192.168.2.4 00:90:99:18:8c:6e 192.168.2.2 00:e0:00:34:d9:20 192.168.1.20 00:90:99:18:78:b3 219.160.1.113 00:05:74:54:bc:06 192.168.1.30 00:02:b3:ec:f0:db The MAC and IP Addresses of neighboring machines. Internal QOS Table: 1: IPv4 211.129.14.134:0035 -> 192.168.2.2:0000 0 0 (0 refs) The machine to be prioritized defined in camelotd.cfg Connection track table: protocol 17 orig: proto 17 192.168.2.2:1624 -> 192.168.2.1:53 reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1624 protocol 17 orig: proto 17 192.168.2.2:1623 -> 192.168.2.1:53 reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1623 protocol 17 orig: proto 17 192.168.2.2:1622 -> 192.168.2.1:53 reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1622 protocol 17

orig: proto 17 192.168.2.2:1621 -> 192.168.2.1:53 reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1621 protocol 17 orig: proto 17 192.168.2.2:1620 -> 192.168.2.1:53 reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1620 protocol 17 orig: proto 17 192.168.2.2:1619 -> 192.168.2.1:53 reply: proto 17 192.168.2.1:53 -> 192.168.2.2:1619 The information of all managed connections. There are six such connections here. Each

entry shows the protocol type, the Source IP Address of the orig and reply address : Source Port number -> Destination IP Address : Destination Port number.

Filter (ip_tables) table: name 'nat' This will be displayed only when the NAT function has been started by the iptables command. name 'filter' This will be displayed only when the packet filter function has been started by the iptables command. Chip matches: 0 1 This shows whether there is a packet using a connection registered in Camelot’s tables. The entry number such connection will be displayed.

Use the matches command when you want to display only the “Chip matches” of the show command. Chip matches: 0 1

5.3. User mode and Kernel mode When the camelotd is in user-mode, the CM_LINUX will switch between user and kernel context numerous times until the netfilter has completed establishing a connection and registered it to Camelot. This occurs since camelotd and netlink communicate information via netlink and this can become quite a burden on the system. Under extreme conditions (such as when connections are continuously registered/deleted from all 128 entries), the entries may not be registered/deleted fast enough. In such cases, we recommend you to use kernel mode. This will eliminate switching between the user and kernel contexts, and only information will be signaled to Camelotd. This will unload the system from load considerably, and will allow it to operate under extreme conditions. Kernel mode can be started by the following command. root@192.168.1.1:/usr# camelotd –c configuration_file –D0 –m & User mode can be started by eliminating the –m. root@192.168.1.1:/usr# camelotd –c configuration_file –D0 &

6. Using the Camelot Router 6.1. NAT Start camelotd under user-mode, and set CM_LINUX to the NAT mode. For TCP connections, after a syn packet has been forwarded, and the corresponding ack packet has been received, the netfilter will acknowledge that the connection has been established. This is signaled to camelotd, and camelotd will gather the necessary information (such as MAC Addresses) and issue a ioctl system call to register the connection to the Camelot device driver. The Device driver will register the information to Camelot’s hardware, and any following packets that match this entry will be routed by Camelot (1). For UDP connections, a connection will be considered to be established when packets with matching port number fields have been received from opposite directions ( of course the source and destination port fields will be reversed for packets in opposite directions). The rest is the same as how a TCP connection is handled. When a packet indicating the closing of a connection (such as FIN or RST) has been received, an interrupt will be asserted by Camelot and signaled to the CM_LINUX. The CM_LINUX will acknowledge this interrupt and signal a connection closing to camelotd, and camelotd will issue a connection deletion command to the Camelot device driver via an ioctl system call. The device driver will delete the corresponding entry from Camelot’s table. (2) In the case that an entry cannot be deleted by the normal procedure described above (such as when the sequence of a TCP connection has corrupted, or for UDP connections), the camelotd daemon has a timeout function that will periodically monitor the connections. There are no restrictions to the timeout period, and can be set in the Camelotd.cfg file. The following is a Camelot router setup example. root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 & (3) root@192.168.1.1:/usr# echo -n "1" >/proc/sys/net/ipv4/ip_forward root@192.168.1.1:/usr# ifconfig wan0 1.1.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# iptables -t filter -F INPUT root@192.168.1.1:/usr# iptables -t filter -F OUTPUT root@192.168.1.1:/usr# iptables -t filter -F FORWARD

root@192.168.1.1:/usr# iptables -t nat -F PREROUTING root@192.168.1.1:/usr# iptables -t nat -F OUTPUT root@192.168.1.1:/usr# iptables -t nat -F POSTROUTING root@192.168.1.1:/usr# iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE Next we shall explain the difference between kernel mode and user mode. The

differences are the in the texts in green above(1,2,3), and is as following. (1) For TCP connections, when a syn packet has been forwarded, and the corresponding ack packet has been received, the netfilter will acknowledge that the connection has been established. Netfilter will gather the necessary information (such as MAC Addresses) and execute the device driver so it will register the information to Camelot’s hardware, causing any following packets that match this entry to be routed by Camelot.

(2) When a packet indicating the closing of a connection (such as FIN or RST) has been received, an interrupt will be asserted by Camelot and signaled to the CM_LINUX. The CM_LINUX will acknowledge this and cause the Camelot device driver to delete the corresponding entry from Camelot’s table. Then camelotd is informed that the connection has been deleted. (3) root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 –m & The only differences between kernel and user mode have been explained above. Therefore, from here on we shall describe only user mode.

6.2. IP Forwarding

Camelotd is started, and CM_LINUX is set to IP Forwarding mode. The basic operation is the same as NAT except for the fact that the port number will be “don’t care”. Stated differently, since IP forwarding is based solely on the Addresses, once the entry has been registered, packets will be forwarded regardless of their port number. There are no packet monitoring functions that will delete connections. In principle, connections can only be deleted by timeout functions.

The following is an example of a Camelot router setup. root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 & root@192.168.1.1:/usr# echo -n "1" >/proc/sys/net/ipv4/ip_forward root@192.168.1.1:/usr# ifconfig wan0 1.1.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# iptables -t filter -F INPUT root@192.168.1.1:/usr# iptables -t filter -F OUTPUT root@192.168.1.1:/usr# iptables -t filter -F FORWARD root@192.168.1.1:/usr# iptables -t nat -F PREROUTING root@192.168.1.1:/usr# iptables -t nat -F OUTPUT root@192.168.1.1:/usr# iptables -t nat -F POSTROUTING

6.3. PPPOE Put CM_LINUX into NAT (IP Forwarding) mode and start the camelotd, pppd, and pppoe daemons. The pppoe connection will be treated similarly to the NAT (IP Forwarding) connection as described above. The following is an example of a Camelot NAT setup. (Here we are using ppp-2.4.1, and kernel mode rp-pppoe-3.5 by Roaring Penguin Software) root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 & root@192.168.1.1:/usr# echo -n "1" >/proc/sys/net/ipv4/ip_forward root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# iptables -t filter -F INPUT root@192.168.1.1:/usr# iptables -t filter -F OUTPUT root@192.168.1.1:/usr# iptables -t filter -F FORWARD root@192.168.1.1:/usr# iptables -t nat -F PREROUTING root@192.168.1.1:/usr# iptables -t nat -F OUTPUT root@192.168.1.1:/usr# iptables -t nat -F POSTROUTING root@192.168.1.1:/usr# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE root@192.168.1.1:/usr# iptables -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu (may be -set-mss 1412 instead of --clamp-mss-to-pmtu) root@192.168.1.1:/usr# iptables -A FORWARD -i ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu root@192.168.1.1:/usr# adsl-start ….connected!

6.4. The Filter The filters are set by iptables. iptables may be used as it is normally used, and the values will be set to both CM_LINUX and Camelot. However, since Camelot can not support all settings by iptables, here we shall explain the differences between Camelot and Linux’s filter. The INPUT in iptables will be mapped to the “in-side” as defined by Camelot, and FORWARD and OUTPUT will be mapped to the “out-side”. Camelot supports only one subnet mask for all entries. Camelot has 64 in-side and out-side entries. The following are four examples of how the filter is set and how the results are shown by the dump command. (comments are in blue) root@192.168.1.1:/usr# iptables -A FORWARD -p tcp --tcp-flags ACK ACK -i ppp0 -j ACCEPT The dump command will display, 0: s 0.0.0.0 d 0.0.0.0 dp ffff:0000 sp ffff:0000 protocol value is 1245235 (0x130033) TCP,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,ipv4,entry_valid log,pass,ack_fg_en_0,wan, This entry indicates that a TCP packet with the ACK bit asserted has been received from the ppp0 interface. root@192.168.1.1:/usr# iptables -A FORWARD -p icmp -i ppp0 -j ACCEPT The dump command will show 1: s 0.0.0.0 d 0.0.0.0 dp 0000:0000 sp 0000:0000 protocol value is 4390967 (0x430037) ICMP,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,icmp_dont_care,ipv4,entry_valid log,pass,wan, This entry indicated that an ICMP packet as been received from the ppp0 interface. root@192.168.1.1:/usr# iptables -A FORWARD -p udp --sport 53 -i ppp0 -j ACCEPT The dump command will exhibit 2: s 0.0.0.0 d 0.0.0.0 dp ffff:0000 sp 0035:0035

protocol value is 2490419 (0x260033) UDP,L4_src_range,L4_dont_care_dst,v4_dont_care_dst,v4_dont_care_src,ipv4,entry_valid log,pass,ack_fg_en_1,wan, This entry indicates that a UDP packet with a source port number of 53 has been

received at the ppp0 interface. root@192.168.1.1:/usr# iptables -A FORWARD -i ppp0 -j DROP The dump command below; 3: s 0.0.0.0 d 0.0.0.0 dp 0000:0000 sp 0000:0000 protocol value is 196659 (0x30033) DONTCARE,L4_dont_care_dst,L4_dont_care_src,v4_dont_care_dst,v4_dont_care_src,ipv4,entry_valid log,drop,wan, This entry indicates that all packets received at the ppp0 interface will be dropped.

6.5. The filter counter The filter counter will count up the packets that have matched camelot’s filter entries. Since the counter can not be reset, the values will keep accumulating as long as camelotd is being executed. The following is an example of how the counters are used. Telnet to the Camelot router from a monitoring PC. [Camelot router] root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 & root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0 [monitoring PC] Prompt>telnet 192.168.1.1 12345 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. dump …… filter counts, in : [0]=15860 [1]=3 [2]=332 [3]=679 …… This indicates that 15860, 332, 679 packets have matched entries 0, 1, 2, 3 respectively.

6.6. The Filter log The log of the first four packets filtered by Camelot can be displayed The following is an example of how the logs can be retreived. Telnet to the Camelot router from a monitoring PC. [Camelot router] root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D0 & root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0 [Monitoring PC] Prompt>telnet 192.168.1.1 12345 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. dump …… log input #2: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74, #3: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74, #4: cause L3/4 filter, table_id 3, dest_if 16, pkt len 74, …… Log 2 indicates that there is a packet that matched entry 3 of the L3/4 filter, and that that packet was received from the WAN interface, and the packet length was 74 bytes. The Logs 3 and 4 also indicate identical status.

6.7. DMZ The LAN2 port can be placed in a different segment from the LAN0 and LAN1 ports, and may be used as a DMZ port. The interface name of the DMZ port is cm1. The following is an Camelot router setup example.

root@192.168.1.1:/usr# camelotd –Z –c camelotd.cfg –D0 & root@192.168.1.1:/usr# echo -n "1" >/proc/sys/net/ipv4/ip_forward root@192.168.1.1:/usr# ifconfig wan0 1.1.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# ifconfig cm1 192.168.2.1 netmask 255.255.255.0 root@192.168.1.1:/usr# iptables -t filter -F INPUT root@192.168.1.1:/usr# iptables -t filter -F OUTPUT root@192.168.1.1:/usr# iptables -t filter -F FORWARD root@192.168.1.1:/usr# iptables -t nat -F PREROUTING root@192.168.1.1:/usr# iptables -t nat -F OUTPUT root@192.168.1.1:/usr# iptables -t nat -F POSTROUTING root@192.168.1.1:/usr# iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE root@192.168.1.1:/usr# iptables -t nat -A POSTROUTING –s 192.168.1.0/24 -o cm1 -j MASQUERADE Add the following commands if you want to apply port forwarding. root@192.168.1.1:/usr# iptables -t nat -A PREROUTING -p TCP -i wan0 -d 1.1.1.1

1.1.1.10

1.1.1.1

192.168.2.1

192.168.2.10

192.168.1.1 WAN LAN

192.168.1.10

LAN PC Camelot router

DMZ PC

WAN PC

DMZ

--dport 23 -j DNAT --to-destination 192.168.2.10 TCP packets received at the WAN0 port with destination addresses 1.1.1.1 and destination ports 23 will be changed to addresses 192.168.2.10 and routed.

6.8. QOS Packets from hosts attached to the WAN and DMZ ports can be prioritized by setting their IP Addresses (and port numbers). This capability can be used concurrently with NAT and IP Forwarding. The following is an Camelot router IP Forwarding setup example. In this example, we will prioritize packets transmitted between the host on the DMZ port at 192.168.2.10 and the host at the WAN port with IP Address 1.1.1.10.

root@192.168.1.1:/usr# vi camelotd.cfg …… # Tag IPv WAN IP WAN DMZ IP DMZ TOS/TC Flow # (4/6) Port Port Label QOS 4 1.1.1.10 0 192.168.2.10 0 0 0 …… :wq root@192.168.1.1:/usr# camelotd –Z –c camelotd.cfg –D0 & root@192.168.1.1:/usr# echo -n "1" >/proc/sys/net/ipv4/ip_forward root@192.168.1.1:/usr# ifconfig wan0 1.1.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# ifconfig cm0 192.168.1.1 netmask 255.255.255.0 root@192.168.1.1:/usr# ifconfig cm1 192.168.2.1 netmask 255.255.255.0 root@192.168.1.1:/usr# iptables -t filter -F INPUT root@192.168.1.1:/usr# iptables -t filter -F OUTPUT

1.1.1.10

1.1.1.1

192.168.2.1

192.168.2.10

192.168.1.1 WAN LAN

192.168.1.10

LAN PC Camelot router

DMZ PC

WAN PC

DMZ

root@192.168.1.1:/usr# iptables -t filter -F FORWARD root@192.168.1.1:/usr# iptables -t nat -F PREROUTING root@192.168.1.1:/usr# iptables -t nat -F OUTPUT root@192.168.1.1:/usr# iptables -t nat -F POSTROUTING UDP Packets with source port number 10000, destination port number 20000 from the host at the DMZ port and source port number 20000, destination port number 10000 from the host at the WAN port will be prioritized.

7. Debugging The debug log will be stored in a file, and is not displayed on the serial window. (This is due to the fact that the serial terminal can only display a limited amount of information.) The debug level and trace level should be assigned when the Camelotd daemon is started. The following is an example of assigning debug level 3 and trace level 4. root@192.168.1.1:/usr# echo 65535 > /proc/sys/net/core/rmem_default' root@192.168.1.1:/usr# camelotd –c camelotd.cfg –D3 –f log.txt –T4& Terminate camelotd when you want to see the logged results. root@192.168.1.1:/usr# ps PID TTY TIME CMD 108 ttyS0 00:00:00 bash 126 ttyS0 00:00:00 camelotd 128 ttyS0 00:00:00 ps root@192.168.1.1:/usr# kill 126 root@192.168.1.1:/usr# cat log.txt