I'm starting to wonder if the Linux networking stack has become a bit too layered.
I recently spent some time debugging a Wireguard tunnel on a VPS. Simple 'ip r sh' checks and tcpdump'ing weren't revealing the full picture, and it turned out an obscure 'ip rule' added by the VPS provided was redirecting the traffic to the loopback for reasons.
It seems like policy-based routing (via ip rule) adds an extra, opaque, layer before the regular routing table. The packet router (below routing) further complicates things.
Otoh the flexibility of Linux networking stack makes it so amazing; if you can imagine it then there is almost certainly some way of doing it with Linux. It might not be fastest or cleanest, but it certainly can do a lot.
Also, policy based routing has been in Linux since 2.2 or something like that, so it's not like its some recent increase in complexity.
I miss a command that shows the entirety of the network stack state. All routes, rules, fw config from all namespaces, shaper policies, ipsets, bridge config (including vlan filters), etc etc. Not sure I concur with the too layered statement, however it is complicated and the tools to manage and explore it are not well integrated
This is definitely a problem. I'd love something like the Cisco IOS "show config" for Linux networking. (I'm probably biased towards Cisco cause that was the first real router I used back in the 90's.)
Good piece. Possibly should have gone into Linux VRF while they were at it, much neater abstraction for ip rules and tables in many cases.
I'm starting to wonder if the Linux networking stack has become a bit too layered.
I recently spent some time debugging a Wireguard tunnel on a VPS. Simple 'ip r sh' checks and tcpdump'ing weren't revealing the full picture, and it turned out an obscure 'ip rule' added by the VPS provided was redirecting the traffic to the loopback for reasons.
It seems like policy-based routing (via ip rule) adds an extra, opaque, layer before the regular routing table. The packet router (below routing) further complicates things.
If you don't know it yet check out pwru [0] it's an eBPF based tool that let's you trace packets through the kernel using a tcpdump style syntax.
[0]: https://github.com/cilium/pwru
Otoh the flexibility of Linux networking stack makes it so amazing; if you can imagine it then there is almost certainly some way of doing it with Linux. It might not be fastest or cleanest, but it certainly can do a lot.
Also, policy based routing has been in Linux since 2.2 or something like that, so it's not like its some recent increase in complexity.
I miss a command that shows the entirety of the network stack state. All routes, rules, fw config from all namespaces, shaper policies, ipsets, bridge config (including vlan filters), etc etc. Not sure I concur with the too layered statement, however it is complicated and the tools to manage and explore it are not well integrated
This is definitely a problem. I'd love something like the Cisco IOS "show config" for Linux networking. (I'm probably biased towards Cisco cause that was the first real router I used back in the 90's.)