主页 / server / 问题 / 1088813
Accepted
Kira
Asked: 2022-01-03 17:11:26 +0800 CST

强制新进程使用特定的网络接口(使用 netns/network 命名空间)

  • 772

我在 Ubuntu 20.04 机器上有许多可用的接口。除其他外 enx0c5b8f279a64usb0后者被用作默认值。我想确保在终端中启动的特定进程将仅使用其中一个接口(enx0c5b8f279a64即使另一个接口是默认接口)。如果该进程启动并且所选 enx0c5b8f279a64 接口关闭,则它甚至不应该尝试使用任何其他接口作为后备(就好像从该进程的角度来看其他接口甚至不存在一样)

我认为这ip netns是要走的路,但我无法实施任何可行的解决方案。我已经尝试过https://superuser.com/a/750412但是Destination Host Unreachable如果我尝试 ping我会得到8.8.8.8:(

输出的相关部分ip a s

 9: enx0c5b8f279a64: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
     link/ether 12:12:12:12:12:12 brd ff:ff:ff:ff:ff:ff
     inet 192.168.7.100/24 brd 192.168.7.255 scope global dynamic noprefixroute enx0c5b8f279a64
        valid_lft 84611sec preferred_lft 84611sec
     inet6 2323::2323:2323:2323:2323/64 scope link noprefixroute 
        valid_lft forever preferred_lft forever
 10: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
     link/ether 34:34:34:34:34:34 brd ff:ff:ff:ff:ff:ff
     inet 192.168.42.**47**/24 brd 192.168.42.255 scope global dynamic noprefixroute usb0
        valid_lft 1858sec preferred_lft 1858sec
     inet6 4545:454:545:4545:454:5454:5454:5454/64 scope global temporary deprecated dynamic 
        valid_lft 2461sec preferred_lft 0sec
     inet6 5656:565:656:5656:5656:5656:5656:5656/64 scope global deprecated dynamic mngtmpaddr noprefixroute 
        valid_lft 2461sec preferred_lft 0sec
     inet6 6767::6767:6767:6767:6767/64 scope link noprefixroute 
        valid_lft forever preferred_lft forever

和路由表:

 route -n
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
 0.0.0.0         192.168.7.1     0.0.0.0         UG    100    0        0 enx0c5b8f279a64
 0.0.0.0         192.168.42.129  0.0.0.0         UG    101    0        0 usb0
 192.168.7.0     0.0.0.0         255.255.255.0   U     100    0        0 enx0c5b8f279a64
 192.168.42.0    0.0.0.0         255.255.255.0   U     101    0        0 usb0

到目前为止,我尝试过的所有解决方案都以类似的方式开始:

# create namespace
sudo ip netns add nspace0
# create link
sudo ip link add veth0 type veth peer name veth1
# move link
sudo ip link set veth1 netns nspace0

# DO SOME MAGIC 
# (none of the solutions that I have tried to adapt here worked for me so far).
...

# run process in namespace (here I use curl as an example) 
sudo ip netns exec nspace0 curl ifconfig.me/ip

但问题是MAGIC部分。我已经看到了许多使用网桥和其他 IP 转发解决方案的方法。不幸的是,到目前为止,这些都没有对我有用,而且我并不精通网络,无法诊断和修复。

ip iproute2 namespaces network-namespace net

1 个回答

  1. Best Answer

    它似乎适用于以下脚本。我最初的问题中没有的一个额外功能是如何将接口保留在主命名空间和新命名空间中(但我稍后会处理)。以下是基于以下提供的信息的描述性解决方案:herehereherehereherehere

    # Save default settings to files for a handy reference
ip addr > log_000.ip_addr.txt
ip link > log_000.ip_link.txt
ip route > log_000.ip_route.txt
route -n > log_000.route_n.txt

# Interfaces
INTERFACE_0="usb0"
INTERFACE_1="enx0c5b8f279a64"

# Collect information on current configuration
PUBL_IP=$(curl --silent ifconfig.me/ip)
INTERFACE_0_PUBL_IP=$(curl --silent --interface ${INTERFACE_0} ifconfig.me/ip)
INTERFACE_1_PUBL_IP=$(curl --silent --interface ${INTERFACE_1} ifconfig.me/ip)

INTERFACE_0_PRIV_IP=$(ip a show ${INTERFACE_0} | awk '/inet / {print $2}')
INTERFACE_1_PRIV_IP=$(ip a show ${INTERFACE_1} | awk '/inet / {print $2}')

INTERFACE_0_GATE=$(ip route show dev ${INTERFACE_0} | awk '/default via/ {print $3}')
INTERFACE_1_GATE=$(ip route show dev ${INTERFACE_1} | awk '/default via/ {print $3}')

echo "" > log_001.IPs.txt
echo "PUBL_IP: ${PUBL_IP}"                          >> log_001.IPs.txt
echo "============================================" >> log_001.IPs.txt
echo "INTERFACE_0_PUBL_IP: ${INTERFACE_0_PUBL_IP}"  >> log_001.IPs.txt
echo "INTERFACE_0_PRIV_IP: ${INTERFACE_0_PRIV_IP}"  >> log_001.IPs.txt
echo "INTERFACE_0_GATE: ${INTERFACE_0_GATE}"        >> log_001.IPs.txt
echo "============================================" >> log_001.IPs.txt
echo "INTERFACE_1_PUBL_IP: ${INTERFACE_1_PUBL_IP}"  >> log_001.IPs.txt
echo "INTERFACE_1_PRIV_IP: ${INTERFACE_1_PRIV_IP}"  >> log_001.IPs.txt
echo "INTERFACE_1_GATE: ${INTERFACE_1_GATE}"        >> log_001.IPs.txt
cat log_001.IPs.txt

NAMESPACE_1="ns1"

# SETUP: Create new namespace.
sudo ip netns add ${NAMESPACE_1}

# CHECKUP: Verify that the namesapce was created.
sudo ip netns list

# CHECKUP: List interfaces in the main and new namespace
ip addr show
sudo ip netns exec ${NAMESPACE_1} ip addr show

# SETUP: Link (move) interface to namespace.
# NB this interface will not be availabie in the main (default) namespace anymoe.
sudo ip link set ${INTERFACE_1} netns ${NAMESPACE_1}

# CHECKUP: verify that the interface was moved from main to new namespace.
ip addr show
sudo ip netns exec ${NAMESPACE_1} ip addr show

# SETUP: Set interface IP address in new namespace and bring it up.
# TODO: Check it the address must be the as it was in the main namespace.
sudo ip netns exec ${NAMESPACE_1} ifconfig ${INTERFACE_1} ${INTERFACE_1_PRIV_IP} up

# SETUP: Bring up the loopback interface (as it may be needed by processes run in new namespace).
sudo ip netns exec ${NAMESPACE_1} ifconfig lo 127.0.0.1/8 up

# CHECKUP: List interfaces (loopback and INTERFACE_1) in the new namespace
sudo ip netns exec ${NAMESPACE_1} ip addr show

# CHECKUP: Verify route table.
sudo ip netns exec ${NAMESPACE_1} route -n

# SETUP: Add default gateway to route in new namespace.
sudo ip netns exec ${NAMESPACE_1} route add default gw 192.168.7.1

# CHECKUP: Verify route table again.
sudo ip netns exec ${NAMESPACE_1} route -n

# DONE: Use new namesapce.
sudo ip netns exec ${NAMESPACE_1} ping 8.8.8.8
sudo ip netns exec ${NAMESPACE_1} traceroute 8.8.8.8

# SETUP: Fix DNS
sudo mkdir -pv /etc/netns/${NAMESPACE_1}
sudo echo "nameserver 8.8.8.8" > /etc/netns/${NAMESPACE_1}/resolv.conf


sudo ip netns exec ${NAMESPACE_1} curl ifconfig.me/ip
sudo ip netns exec ${NAMESPACE_1} curl --silent ifconfig.me/ip

# EXTRA: Undo changes (revert to the original state of IP settings)
sudo ip netns del ${NAMESPACE_1}
    • 1

相关问题