我正在尝试用 linux 桥接进行学习实验。我不想在没有命名空间且能够调试接口连接的主机上创建隔离桥。
我希望能够从 dummy1 ping dummy0 并以相反的方式 ping -I dummy0 172.16.8.3
我的配置:
ip link add br0 type bridge
ip addr add 172.16.8.1/24 dev br0
ip link set dev br0 up
ip route add 172.16.8.0/24 dev br0 src 172.16.8.1 table 121
ip rule add oif br0 table 121
ip link add dummy0 type dummy
ip addr add 172.16.8.2/24 dev dummy0
ip link set dev dummy0 up
ip link set dev dummy0 master br0
ip route add 172.16.8.0/24 dev dummy0 src 172.16.8.2 table 122
ip route add default via 172.16.8.1 dev dummy0 table 122
ip rule add oif dummy0 table 122
ip link add dummy1 type dummy
ip addr add 172.16.8.3/24 dev dummy1
ip link set dev dummy1 up
ip link set dev dummy1 master br0
ip route add 172.16.8.0/24 dev dummy1 src 172.16.8.3 table 123
ip route add default via 172.16.8.1 dev dummy1 table 123
ip rule add oif dummy1 table 123
所以,我有以下内容:
root@x11spl-f-server-1:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.7a847996e153 no dummy0
dummy1
root@x11spl-f-server-1:~# ip a s
...
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7a:84:79:96:e1:53 brd ff:ff:ff:ff:ff:ff
inet 172.16.8.1/24 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::7884:79ff:fe96:e153/64 scope link
valid_lft forever preferred_lft forever
7: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000
link/ether ca:9e:26:70:f4:1c brd ff:ff:ff:ff:ff:ff
inet 172.16.8.2/24 scope global dummy0
valid_lft forever preferred_lft forever
inet6 fe80::c89e:26ff:fe70:f41c/64 scope link
valid_lft forever preferred_lft forever
8: dummy1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UNKNOWN group default qlen 1000
link/ether 5a:9a:e1:70:ed:30 brd ff:ff:ff:ff:ff:ff
inet 172.16.8.3/24 scope global dummy1
valid_lft forever preferred_lft forever
inet6 fe80::589a:e1ff:fe70:ed30/64 scope link
valid_lft forever preferred_lft forever
root@x11spl-f-server-1:~# ip rule s
0: from all lookup local
32763: from all oif dummy1 lookup 123
32764: from all oif br0 lookup 121
32765: from all oif dummy0 lookup 122
32766: from all lookup main
32767: from all lookup default
root@x11spl-f-server-1:~# ip route s table 121
172.16.8.0/24 dev br0 scope link src 172.16.8.1
root@x11spl-f-server-1:~# ip route s table 122
default via 172.16.8.1 dev dummy0
172.16.8.0/24 dev dummy0 scope link src 172.16.8.2
root@x11spl-f-server-1:~# ip route s table 123
default via 172.16.8.1 dev dummy1
172.16.8.0/24 dev dummy1 scope link src 172.16.8.3
root@x11spl-f-server-1:~# brctl showmacs br0
port no mac addr is local? ageing timer
2 5a:9a:e1:70:ed:30 yes 0.00
2 5a:9a:e1:70:ed:30 yes 0.00
1 ca:9e:26:70:f4:1c yes 0.00
1 ca:9e:26:70:f4:1c yes 0.00
root@x11spl-f-server-1:~# ip route get 172.16.8.3 oif dummy0
172.16.8.3 dev dummy0 table 122 src 172.16.8.2 uid 0
cache
root@x11spl-f-server-1:~# ip route get 172.16.8.2 oif dummy1
172.16.8.2 dev dummy1 table 123 src 172.16.8.3 uid 0
cache
但不幸的是,我无法 ping 通接口:
root@x11spl-f-server-1:~# ping -I dummy0 172.16.8.3
PING 172.16.8.3 (172.16.8.3) from 172.16.8.2 dummy0: 56(84) bytes of data.
^C
--- 172.16.8.3 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1026ms
root@x11spl-f-server-1:~# ping -I dummy0 172.16.8.1
PING 172.16.8.1 (172.16.8.1) from 172.16.8.2 dummy0: 56(84) bytes of data.
^C
--- 172.16.8.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1028ms
root@x11spl-f-server-1:~# ping -I dummy1 172.16.8.1
PING 172.16.8.1 (172.16.8.1) from 172.16.8.3 dummy1: 56(84) bytes of data.
^C
--- 172.16.8.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2043ms
root@x11spl-f-server-1:~# ping -I dummy1 172.16.8.2
PING 172.16.8.2 (172.16.8.2) from 172.16.8.3 dummy1: 56(84) bytes of data.
^C
--- 172.16.8.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1021ms
有趣的是,如果我指定 IP 地址而不是接口,它就可以工作:
root@x11spl-f-server-1:~# ping -I 172.16.8.2 172.16.8.3
PING 172.16.8.3 (172.16.8.3) from 172.16.8.2 : 56(84) bytes of data.
64 bytes from 172.16.8.3: icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from 172.16.8.3: icmp_seq=2 ttl=64 time=0.046 ms
^C
--- 172.16.8.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1029ms
rtt min/avg/max/mdev = 0.032/0.039/0.046/0.007 ms
但是br0接口上没有数据包(奇怪)。
root@x11spl-f-server-1:~# tcpdump -vvv -i br0
tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
请你帮我理解我做错了什么
首先,“虚拟”接口基本上不对其发送的数据包执行任何操作(但成功发送它们),并且不接收任何数据包。因此,您无法 ping 接口上的任何内容并获得回复。(在某种程度上,虚拟接口看起来就像一个网络段,上面没有任何其他东西,只是它的速度要快得多。)
但下一个变化是,由于大多数网络无法看到它们正在发送的内容,因此操作系统会对发送到您自己的地址的任何内容进行特殊处理。这种
-I interface
形式会覆盖路由,因此数据包被“发送”。对于其他形式,数据包只是在本地处理,您可以获得 ping 回复。下一个转折点是桥。桥接到位后,从设备不会被路由到,并且没有可用的地址。从他们那里收到的任何信息都会转发给桥接驱动程序。桥接驱动程序在适当的时候将数据包传递给它们(这意味着广播数据包,包括 ARP 和邻居发现,以及发送到已接收数据包的地址的数据包)。
因此,如果您想查看涉及虚拟接口之一的数据包,请尝试类似
ping 172.16.8.55
. 这应该会导致在网桥上发送 ARP 请求,然后将其发送到两个虚拟接口。这应该可以用 检测到tcpdump
。这些ping -I interface
命令也对 可见tcpdump
。如果您想查看真实流量,则需要在受控设备的另一侧进行一些操作。您可以使用 veth 和命名空间。您可以使用 tun/tap 设备,可能还带有网络模拟器。您可以使用一些真实的网络设备(如果有的话)。