MAP to JSON string, String to JSONObject, JSONObject to JSON array

2023-01-23   ES  

In the current cloud era, there are virtual machines and containers everywhere. The network management behind them is inseparable from virtual network devices, so understanding virtual network equipment helps us better understand the network structure of the cloud era. Starting from this article, the virtual network device under Linux will be introduced.

The difference between virtual equipment and physical equipment

linux network data packet receiving processDating process

The two articles ofintroduced the receiving process of the data packet, and knew that there was a network device management in the Linux kernel, which was between network device drivers and protocol stacks, and was responsible for connecting data interaction between them. Drivers do not need to understand the details of the protocol stack, and the protocol stack does not need to understand the details of the device driver.

For a network device, just like a pipe (PIPE), there are two ends, and the data received from any end will be sent out of the other end.

For example, a physical network card ETH0, its ends are the kernel protocol stack (indirect communication through the kernel network device management module) and the physical network outside. The data sent by the application from the protocol stack will be sent through the physical network.

So what about a virtual network device? First of all, it also belongs to the core network equipment management subsystem management. For the Linux kernel network equipment management module, there is no difference between virtual equipment and physical equipment. They are all network devices. They can configure IP. The data that comes to the agreement stack, the protocol stack, will also be sent to the network device. As for how to send it out, where to send it, it is a device -driven thing, which has nothing to do with the Linux kernel. One end is also the protocol stack, and what the other end depends on the driving implementation of virtual network devices.

What is the other end of


Look at the picture first and then talk:

|                                                                |
|  +--------------------+      +--------------------+            |
|  | User Application A |      | User Application B |<-----+     |
|  +--------------------+      +--------------------+      |     |
|               | 1                    | 5                 |     |
|               ↓                      ↓                   |     |
|         +----------+           +----------+              |     |
|         | socket A |           | socket B |              |     |
|         +----------+           +----------+              |     |
|                 | 2               | 6                    |     |
|                 ↓                 ↓                      |     |
|             +------------------------+                 4 |     |
|             | Newwork Protocol Stack |                   |     |
|             +------------------------+                   |     |
|                | 7                 | 3                   |     |
|                ↓                   ↓                     |     |
|        +----------------+    +----------------+          |     |
|        |      eth0      |    |      tun0      |          |     |
|        +----------------+    +----------------+          |     |
|  |                   |      |     |
|                | 8                 +---------------------+     |
|                |                                               |
         Physical Network

There are two applications A and B in the figure above, both on the user layer, and other sockets, protocol stacks (Newwork Protocol Stack) and network devices (ETH0 and TUN0) are on the kernel layer. In fact, the socket is the protocol stack Part of the purpose here is to see more intuitive.

TUN0 is a Tun/TAP virtual device. From the figure above, it can be seen that the difference between it and the physical device ETH0. Although one of them is even the protocol stack, the other end is different. The other end of ETH0 is a physical network. This physical network may be a switch, and the other end of TUN0 is a user -layer program. The data packet sent to TUN0 by the protocol stack can be read by this application, and the application can write data directly to TUN0.

Here, assuming the IP configured by ETH0 is, and the IP configured by TUN0 is

Here are the application scenarios of a typical TUN/TAP device. The data sent to the network passed the tunnel of the program B, which was sent to on the remote network, and then 10.33 from 10.33. .0.1 Repost to the corresponding device to achieve VPN.

Let’s take a look at the process of the data packet:

  1. Application A is an ordinary program that sends a data packet through socket A. Suppose the destination IP address of this data packet is

  2. Socket throw this data packet to the protocol stack

  3. protocol stack matches the local routing rules according to the IP address of the data packet, knowing that this data packet should be out by TUN0, so hand over the data packet to TUN0

    After receiving the data packet,

  4. TUN0 found that the other end was opened by the process B, so I threw the packet to the process B

  5. Process B After receiving the data packet, do some business -related processing, and then construct a new data packet, embed the original data packet in the new data packet, and finally forward the data packet through Socket B. This is this. This is this. At that time, the source address of the new data packet becomes the address of ETH0, and the destination IP address becomes an other address, such as

  6. Socket B throw the data packet to the protocol stack

  7. protocol stack According to the local routing, it is found that this data packet should be sent through ETH0, so the packet is handed over to ETH0

  8. ETH0 sends out the data packet through a physical network After receiving the data packet, you will open the data packet, read the original data packet inside, and forward it to the local, and then wait for the response from before constructing a new response package , And encapsulate the original response package, then return to the application B from the original path. Application B is taken out of the original response package, and finally returned to the application A

Here is not discussing how the TUN/TAP device TUN0 communicates with the process B of the user layer. For the Linux kernel, there are many ways to allow the kernel space and the process of user space to exchange data.

From the above process, it can be seen that which network device to choose from the data packet is completely controlled by the route table, so if we want to let some network traffic take the forwarding process of application B, we need to configure the route table for this part of the data to allow this part of the data to make this part of the data. Take TUN0.

What is the use of

TUN/TAP device?

From the process introduced above, it can be seen that the use of the TUN/TAP device is to forward some data packets in the protocol stack to the application of the user space, and give the user space program a chance to process the data packet. So the more commonly used data compression, encryption and other functions can be made in application B. The most commonly used scene of TUN/TAP device is VPN, including TUNNEL and IPSEC of the application layer. The more famous project isVTun, if you are interested, you can find out.

The difference between

tun and tap

User layer program can only read and write IP data packets through the TUN device, and can read and write link layer data packets through the TAP device, similar to the difference between ordinary sockets and raw sockets. The formats of the processing data packet are different.


sample program

Here I wrote a program. After receiving the data packet of the TUN device, it only prints how many bytes of the data packets received, and do nothing else. For programming, please refer to the subsequent reference link.

#include <net/if.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <linux/if_tun.h>

int tun_alloc(int flags)

    struct ifreq ifr;
    int fd, err;
    char *clonedev = "/dev/net/tun";

    if ((fd = open(clonedev, O_RDWR)) < 0) {
        return fd;

    memset(&ifr, 0, sizeof(ifr));
    ifr.ifr_flags = flags;

    if ((err = ioctl(fd, TUNSETIFF, (void *) &ifr)) < 0) {
        return err;

    printf("Open tun/tap device: %s for reading...\n", ifr.ifr_name);

    return fd;

int main()

    int tun_fd, nread;
    char buffer[1500];

    /* Flags: IFF_TUN   - TUN device (no Ethernet headers)
     *        IFF_TAP   - TAP device
     *        IFF_NO_PI - Do not provide packet information
    tun_fd = tun_alloc(IFF_TUN | IFF_NO_PI);

    if (tun_fd < 0) {
        perror("Allocating interface");

    while (1) {
        nread = read(tun_fd, buffer, sizeof(buffer));
        if (nread < 0) {
            perror("Reading from interface");

        printf("Read %d bytes from tun/tap device\n", nread);
    return 0;


# -------------------------- The first shell window ---------------------------------------------------------------------------------------------------------------- ------- 
 #Save the above program as tun.c, and then compile[email protected]: ~ GCC TUN.C -O TUN 

 #Start the TUN program, the program will create a new TUN device, 
 #The program will block here, waiting for the packet to come over[email protected]: ~ Sudo ./tun 
 Open Tun/Tap Device Tun1 for Reading ... 
 Read 84 bytes from Tun/Tap Device 
 Read 84 bytes from Tun/Tap Device 
 Read 84 bytes from Tun/Tap Device 
 Read 84 bytes from Tun/Tap Device 

 #-------------------------- The second shell window -------------------------------------------------------------------- ----- 
 #, Grab the bag of TUN1 
 TCPDUMP: Verbose Output SUPPRSSED, Use -V or -VV for Full Protocol Decode 
 Listening on Tun1, Link-Type Raw (raw ip), Capture Size 262144 bytes 
 19: 57: 13.473101 IP> ICMP Echo Request, ID 24028, SEQ 1, Length 64 
 19: 57: 14.480362 IP> ICMP Echo Request, ID 24028, SEQ 2, Length 64 
 19: 57: 15.488246 IP> ICMP Echo Request, ID 24028, SEQ 3, Length 64 
 19: 57: 16.496241 IP> ICMP Echo Request, ID 24028, SEQ 4, Length 64 

 #------------------------- The third shell window ---------------------------------------------------------------------------------------------------------------- ----- 
 #./After starting, you will find that the system has an additional TUN device through the IP Link command. 
 #In my test environment, the extra equipment name is Tun1, which may be called Tun0 in your environment 
 #The new device does not have an IP, let's equip TUN1 with an IP address first[email protected]: ~ $ Sudo IP ADDR ADD DEV TUN1 

 #By default, TUN1 is not up, and TUN1 is started with the following command[email protected]: ~ $ Sudo IP Link Set Tun1 UP 

 #Try ping the IP of the network segment, 
 #According to the default route, the packet will take the TUN1 device, 
 #Since the data packet was received in our program, nothing was done, which was equivalent to discarding the packet. 
 #So the ping here will not receive the return package at all, 
 #But in the previous two windows, you can see the four ICMP Echo request packages sent here, 
 #Note that the data packet is sent to the application correctly, but the application does not handle the package[email protected]:~$ ping -c 4
PING ( 56(84) bytes of data.

--- ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms


Usually we use the TUN/TAP device without many opportunities, but because its structure is relatively simple, take it to understand that the virtual network device is good, and to understand the more complex virtual network equipment (such as the network bridge) under the subsequent understanding of Linux Pay.



Related Posts

2021 Niuke Summer Multi-School Training Camp 4-H Question NEP

python3 network crawler (1) -The novel crawling (take the website novel as an example) isana) Isana

python zero -based entry 23 use regular expression grabbing agent IP

Oracle Data Block Block illustrates the ancestor of the guest family

MAP to JSON string, String to JSONObject, JSONObject to JSON array

Random Posts

Macos Big Sur (Software Article): Redis installation

201909-3 Character drawing CCF CCSP

HDU 6053 Reversing DP or Mobius Reverse

Use HTML+CSS to achieve the effect of the spotlight

Computer network (7th edition) -Chapter 5 Transportation Layer -Important Concept